Hi Pulumi team, I'm trying to have my ESC secrets synced with GCP Secrets Manager. I looked into https://github.com/pulumi/esc-examples/tree/main/sync/gcp-secrets-manager but it seems some fundamental info is missing from the README. 1. I'm supposed to provide a GitHub repo where it can pull that target source files from? How do I grant Pulumi access to this repo? Also what should this repo look like? 2. sourceContext seems to reference main with a repoDir of sync/target? This does not match the example (it would be sync/gcp-secrets-manager/target if I just forked the repo)

sourceContext: {
        git: {
            branch: "main",
            repoDir: "sync/target",
        },
    },

3. How do I give Pulumi access to the GCP Secrets manager? Is it assumed that I have some GCP access token set somewhere? Forgive me if this is documented somewhere and I am simply missing a well documented tutorial somewhere... We're considering being a paid customer so I appreciate the support!

Hi! I wrote those examples, so hopefully I can point you in the right direction - but I have some questions first. Are you trying to sync your secrets to GCP? So like, you define them in ESC but you want them pushed into GCP? Or do you want to access your GCP secrets from within ESC?

I define them in ESC and want them sent to GCP

Right on! Okay, then the examples you're looking at are the right thing, but it's very possible there are some bugs in there. You'd clone your specific example into a repo, and then you can give Pulumi access to the repo either by configuring the github integration for your org and giving it access to the repo, or by using raw git authentication for Pulumi Deployments. Generally, the idea for sync is to have your environment pulled in as configuration into a Pulumi IaC stack, and then create the necessary secrets in the stack. The examples use pulumi deployments and schedules to achieve this, but you could achieve the same even if you use a different CICD system.

So if I understand correctly I need to basically create my own "job" that pulls from ESC and send it to GCP Secrets Manager. The example given is simply showing how that could be implemented if I used Pulumi's own enviroment as the "job" runner?

yeah... do you use pulumi to manage your infrastructure as well? or are you only interested in ESC?

Forgive me but that sounds like we have to build the solution and Pulumi is simply the host that runs the solution we build. Your marketing claims a straightforward integration with secrets managers like GCP but I wouldn't call this a pre-built integration at all.

An integration by the common definition would be us authorizing Pulumi to access our GCP secrets environment

Currently, the "on the rails" integration is the other way around. If your secrets are defined in GCP, they can easily be accessed by ESC via an internal integration. The esc -> gcp direction is less on-the rails, and something we intend to support first class in the long term, but the interim solution does require some work. FWIW, this is what I am referring to as the "integration", which fetches from GCP -> ESC: https://www.pulumi.com/docs/esc/integrations/dynamic-secrets/gcp-secrets/ And this is an exploration of a possible way to support ESC -> GCP in the absence of it being internally supported: https://www.pulumi.com/blog/esc-sync-with-iac/

Okay. I appreciate you taking the time in understanding what my expectation was.

Yep, definitely appreciate your feedback. I've raised it with the team internally.

Appreciate it 🙂 I'll come up with a custom solution for now. If anything you helped me confirm that I'm not missing something