Hey all, my team is new to IaC in general and we were wondering how you deal with with leveraging Pulumi and protecting passwords/Secrets in AWS before deploying the Code

You mean like your IAM users' access keys?

Yes, IAM user access keys, secrets, passwords, db username and passwords..with AWS, best practice is to leverage parameter store or secrets manager...How is this handled with Pulumi?

For the latter, read up on how Pulumi handles secrets: https://www.pulumi.com/docs/intro/concepts/secrets/ The big takeaway is that they are not stored in your state file unencrypted. You can also store or retrieve values from SSM/secret store even if you did not use Pulumi to create them in the first place. For access keys for the IAM users )who are running `pulumi deploy`_, SSO is best b/c you get short-term leased credentials via

aws sso login

. If you have to use IAM users with access keys, some tips: 1. Never put access keys (or any other secret) in anything that goes in source control. Use env vars. 2. First choice should be to have Pulumi run through a CI/CD pipeline, but if you can't or aren't ready to do that and need IAM users to run

pulumi deploy

, use a hub-and-spoke model where low-priv users assume high-priv roles (you typically need FullAdmin to run Pulumi or any non-CF IaC tool b/c the API calls to create infra are made from your local machine) 3. Make sure you rotate your access keys regularly

Thank you!

You're most welcome and I hope you have a smooth and pleasant experience using the product!

We use SSO for deploying locally to sandbox and dev envs and CI pipelines in higher envs and it works a treat. We use GitHub actions so we use environments config so that only main can deploy past dev and it works really well for us. Feel free to message me if you have any questions!

Okay. Thank you