06/20/2018, 3:45 PM
We have planned to make this pluggable, so you can use AWS Secrets Manager, Vault, etc. for secrets management, but have not yet done so. Note that if you run
pulumi config set ... --secret
, we will encrypt that config value using KMS, and a stack-specific application key, and store the encrypted result instead of plaintext. This is clearly weaker than storing in one of the above systems and doing decryption as late as possible at runtime, with full auditing of all accesses, but it is good enough for some users and some classes of passwords, tokens, and the like. I couldn't find the work item on our side to make this pluggable, so just filed https://github.com/pulumi/pulumi/issues/1547. This has come up twice in the past 24 hours, so I suspect we'll want to get this on the roadmap (...which we'll be publishing next week, by the way.)
👍 1