Hi folks 😄 two questions • Does pulumi have a good way to manage cross-account AWS Secrets Manager secrets? • Is Pulumi ESC mature enough for wide-scale production deployment? ◦ Aux question: how secure is Pulumi ESC • Third extra extra question - is this use case sane or insane? ◦ We're considering using Pulumi ESC Config to directly load config into AWS Secrets Manager and then allow cross-env IAM roles/identities access to it. Is that viable?

Does pulumi have a good way to manage cross-account AWS Secrets Manager secrets?

if you follow the OIDC docs to set up AWS secrets manager support, you can just rinse and repeat for roles on all your accounts, eg

aws:
  acct1:
    fn::open::aws-login:
      oidc:
        roleArn: arn:aws:iam::111111111:role/esc-oidc
        sessionName: pulumi-environments-session
  acct2:
    fn::open::aws-login:
      oidc:
        roleArn: arn:aws:iam::999999999:role/esc-oidc
        sessionName: pulumi-environments-session
  secrets:
    fn::open::aws-secrets:
      region: us-west-1
      login: ${aws.acct1}
      get:
        api-key-acct1:
          secretId: api-key
    fn::open::aws-secrets:
      region: us-west-1
      login: ${aws.acct2}
      get:
        api-key-acct2:
          secretId: api-key

(or you can split into separate envs)