https://pulumi.com logo
#getting-started
Title
# getting-started
m

magnificent-soccer-44287

12/16/2023, 2:48 PM
Hi folks 😄 two questions • Does pulumi have a good way to manage cross-account AWS Secrets Manager secrets? • Is Pulumi ESC mature enough for wide-scale production deployment? ◦ Aux question: how secure is Pulumi ESC • Third extra extra question - is this use case sane or insane? ◦ We're considering using Pulumi ESC Config to directly load config into AWS Secrets Manager and then allow cross-env IAM roles/identities access to it. Is that viable?
g

gifted-balloon-26385

12/16/2023, 7:20 PM
Does pulumi have a good way to manage cross-account AWS Secrets Manager secrets?
if you follow the OIDC docs to set up AWS secrets manager support, you can just rinse and repeat for roles on all your accounts, eg
Copy code
aws:
  acct1:
    fn::open::aws-login:
      oidc:
        roleArn: arn:aws:iam::111111111:role/esc-oidc
        sessionName: pulumi-environments-session
  acct2:
    fn::open::aws-login:
      oidc:
        roleArn: arn:aws:iam::999999999:role/esc-oidc
        sessionName: pulumi-environments-session
  secrets:
    fn::open::aws-secrets:
      region: us-west-1
      login: ${aws.acct1}
      get:
        api-key-acct1:
          secretId: api-key
    fn::open::aws-secrets:
      region: us-west-1
      login: ${aws.acct2}
      get:
        api-key-acct2:
          secretId: api-key
(or you can split into separate envs)