https://pulumi.com logo
#aws
Title
# aws
r

rich-whale-93740

01/08/2024, 11:56 PM
What are some good practices on managing secrets via AWS Secret Manager? If we go with IaC (i.e. Pulumi), we can perhaps start with adding the secret in GitHub Action secrets, and create those Secret resource including the secret strings via Pulumi. But that adds complexity because same secret is now in multiple places (GitHub and AWS). But I also want to avoid manually managing secrets via AWS Console. Any suggestion?
l

limited-rainbow-51650

01/09/2024, 11:58 AM
If you are using our Pulumi Cloud, have a look at Environments, Secrets & Configuration (ESC) we launched last October. One of the secrets providers supported is to read secrets from AWS Secret Manager into an environment, then link that environment to one or more stacks. https://www.pulumi.com/docs/pulumi-cloud/esc/providers/aws-secrets/
r

rich-whale-93740

01/09/2024, 4:34 PM
Thanks Ringo! How about the other way around - we want to be able to allow user to create/update secret somewhere in Pulumi (or can be read by Pulumi) and sync them to AWS Secret Manager?
l

limited-rainbow-51650

01/09/2024, 4:36 PM
@rich-whale-93740 in that case, you create a Pulumi program and add
aws.secretsmanager.Secret
resources to it. Once you have the code, you create one or more stacks from it. https://www.pulumi.com/registry/packages/aws/api-docs/secretsmanager/secret/
r

rich-whale-93740

01/09/2024, 4:47 PM
Where would we place the secret for pulumi to read from?
l

limited-rainbow-51650

01/09/2024, 6:07 PM
You could use our Random provider and use generated values as the secrets to store in AWS Secrets Manager.