No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

What are some good practices on managing secrets via AWS Secret Manager? If we go with IaC (i.e. Pulumi), we can perhaps start with adding the secret in GitHub Action secrets, and create those Secret resource including the secret strings via Pulumi. But that adds complexity because same secret is now in multiple places (GitHub and AWS). But I also want to avoid manually managing secrets via AWS Console.

Any suggestion?

Have you looked into Pulumi ESC? If you store the secret in Pulumi ESC, then you can reference it from GitHub Actions and in your Pulumi stack configuration (if desired/needed), but the secret remains in only one place (in ESC).

Thanks Scott. It would still be in two places: ESC and AWS Secret Manager. For application owner who use those secrets, especially when something is not working, I guess having them in two places add some complexity

ESC can pull it from Secrets Manager, if you’d prefer to go that route.

So, secret in AWS Secrets Manager &lt; ESC references that &lt; GHA/Pulumi stack config/`esc` CLI tool all pull it from ESC (even using dynamic OIDC creds if you prefer)