Have you looked into Pulumi ESC? If you store the secret in Pulumi ESC, then you can reference it from GitHub Actions and in your Pulumi stack configuration (if desired/needed), but the secret remains in only one place (in ESC).
r
rich-whale-93740
01/09/2024, 4:54 PM
Thanks Scott. It would still be in two places: ESC and AWS Secret Manager. For application owner who use those secrets, especially when something is not working, I guess having them in two places add some complexity
s
salmon-account-74572
01/09/2024, 4:58 PM
ESC can pull it from Secrets Manager, if you’d prefer to go that route.
salmon-account-74572
01/09/2024, 4:59 PM
So, secret in AWS Secrets Manager < ESC references that < GHA/Pulumi stack config/`esc` CLI tool all pull it from ESC (even using dynamic OIDC creds if you prefer)