Hey all, my team is new to IaC in general and we w...
# aws
Hey all, my team is new to IaC in general and we were wondering how you deal with with leveraging Pulumi and protecting passwords/Secrets in AWS before deploying the Code
You mean like your IAM users' access keys?
Or do you mean secrets related to the infrastructure you are deploying with Pulumi (e.g. an RDS DB password)?
Yes, IAM user access keys, secrets, passwords, db username and passwords..with AWS, best practice is to leverage parameter store or secrets manager...How is this handled with Pulumi?
For the latter, read up on how Pulumi handles secrets: https://www.pulumi.com/docs/intro/concepts/secrets/ The big takeaway is that they are not stored in your state file unencrypted. You can also store or retrieve values from SSM/secret store even if you did not use Pulumi to create them in the first place. For access keys for the IAM users )who are running `pulumi deploy`_, SSO is best b/c you get short-term leased credentials via
aws sso login
. If you have to use IAM users with access keys, some tips: 1. Never put access keys (or any other secret) in anything that goes in source control. Use env vars. 2. First choice should be to have Pulumi run through a CI/CD pipeline, but if you can't or aren't ready to do that and need IAM users to run
pulumi deploy
, use a hub-and-spoke model where low-priv users assume high-priv roles (you typically need FullAdmin to run Pulumi or any non-CF IaC tool b/c the API calls to create infra are made from your local machine) 3. Make sure you rotate your access keys regularly
I'd recommend that your first choice should be to use the secrets capabilities within Pulumi itself, then use SSM/Secrets Manager if that doesn't work for you.
Thank you!
You're most welcome and I hope you have a smooth and pleasant experience using the product!
We use SSO for deploying locally to sandbox and dev envs and CI pipelines in higher envs and it works a treat. We use GitHub actions so we use environments config so that only main can deploy past dev and it works really well for us. Feel free to message me if you have any questions!
Okay. Thank you
👍 1