What are some good practices on managing secrets via AWS Secret Manager? If we go with IaC (i.e. Pulumi), we can perhaps start with adding the secret in GitHub Action secrets, and create those Secret resource including the secret strings via Pulumi. But that adds complexity because same secret is now in multiple places (GitHub and AWS). But I also want to avoid manually managing secrets via AWS Console.
01/09/2024, 4:52 PM
Have you looked into Pulumi ESC? If you store the secret in Pulumi ESC, then you can reference it from GitHub Actions and in your Pulumi stack configuration (if desired/needed), but the secret remains in only one place (in ESC).
01/09/2024, 4:54 PM
Thanks Scott. It would still be in two places: ESC and AWS Secret Manager. For application owner who use those secrets, especially when something is not working, I guess having them in two places add some complexity
01/09/2024, 4:58 PM
ESC can pull it from Secrets Manager, if you’d prefer to go that route.
So, secret in AWS Secrets Manager < ESC references that < GHA/Pulumi stack config/`esc` CLI tool all pull it from ESC (even using dynamic OIDC creds if you prefer)