Does Pulumi work with or provide access to aws secrets manager in any way?

You can create a

new aws.secretsmanager.Secret

and then use AWS APIs on secrets manager to decrypt secrets when needed. This will manages secrets at a different level than Pulumi's config system secrets.

Thanks for the input. Thing is that Pulumi's config secrets aren't really secret as they are plain text env vars on the lambdas.