No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

We have planned to make this pluggable, so you can use AWS Secrets Manager, Vault, etc. for secrets management, but have not yet done so.  Note that if you run `pulumi config set ... --secret`, we will encrypt that config value using KMS, and a stack-specific application key, and store the encrypted result instead of plaintext.  This is clearly weaker than storing in one of the above systems and doing decryption as late as possible at runtime, with full auditing of all accesses, but it is good enough for some users and some classes of passwords, tokens, and the like.

I couldn't find the work item on our side to make this pluggable, so just filed <https://github.com/pulumi/pulumi/issues/1547>.  This has come up twice in the past 24 hours, so I suspect we'll want to get this on the roadmap (...which we'll be publishing next week, by the way.)