What are some good practices on managing secrets v...
# aws
r
What are some good practices on managing secrets via AWS Secret Manager? If we go with IaC (i.e. Pulumi), we can perhaps start with adding the secret in GitHub Action secrets, and create those Secret resource including the secret strings via Pulumi. But that adds complexity because same secret is now in multiple places (GitHub and AWS). But I also want to avoid manually managing secrets via AWS Console. Any suggestion?
l
If you are using our Pulumi Cloud, have a look at Environments, Secrets & Configuration (ESC) we launched last October. One of the secrets providers supported is to read secrets from AWS Secret Manager into an environment, then link that environment to one or more stacks. https://www.pulumi.com/docs/pulumi-cloud/esc/providers/aws-secrets/
r
Thanks Ringo! How about the other way around - we want to be able to allow user to create/update secret somewhere in Pulumi (or can be read by Pulumi) and sync them to AWS Secret Manager?
l
@rich-whale-93740 in that case, you create a Pulumi program and add
aws.secretsmanager.Secret
resources to it. Once you have the code, you create one or more stacks from it. https://www.pulumi.com/registry/packages/aws/api-docs/secretsmanager/secret/
r
Where would we place the secret for pulumi to read from?
l
You could use our Random provider and use generated values as the secrets to store in AWS Secrets Manager.