https://pulumi.com logo
h

hundreds-coat-15657

06/12/2019, 2:32 PM
hey all...my team is evaluating on using pulumi teams, i was trying to find more documentation/info regarding the pulumi cloud console---I was wondering, how does the console manage/handle AWS keys/secrets (if it does store aws keys)? thanks!
n

narrow-area-11460

06/12/2019, 2:34 PM
https://blog.pulumi.com/managing-secrets-with-pulumi -- should answer all your questions
h

hundreds-coat-15657

06/12/2019, 2:36 PM
thanks @narrow-area-11460! so if im reading this correctly, pulumi console CAN store AWS/cloud credentials but they are encrypted/hashed/other protections are applied to them?
w

white-balloon-205

06/12/2019, 2:37 PM
The Pulumi console does not need your AWS credentials. All of your deployments to AWS are done in the environments where you run the
pulumi
CLI - typically your CI/CD or deployment systems (or developer desktops). These credentials are used to talk to AWS, but never passed to Pulumi. The Pulumi console manages storage of the state file used to keep track of what resources are under management. Any secrets that may end up there (inputs or outputs to individual resources) can be fully encrypted as needed per the post @narrow-area-11460 references.
n

narrow-area-11460

06/12/2019, 2:44 PM
@hundreds-coat-15657 -- encryption is built-in in Pulumi service yes. I do not believe you need to bring your own custom key at this point for encryption? Did I understand that right?
h

hundreds-coat-15657

06/12/2019, 2:45 PM
@white-balloon-205 that makes sense, thanks so tldr is pulumi doesnt store creds directly but if creds are passed to the pulumi state files that end up on pulumis servers, those creds can be encrypted as needed
n

narrow-area-11460

06/12/2019, 2:51 PM
as @white-balloon-205 said AWS creds are not passed to the service and are not stored in the service. But if you pass a "secret" as part of the local configuration from the CLI, then it is encrypted and then this "secret" can be used in your Pulumi program to create resources in the cloud.
if you look through the example in the blog, this will make sense
👍 1