https://pulumi.com logo
c

colossal-room-15708

06/27/2019, 1:37 AM
Is there a way to use secrets from AWS Secrets Manager or Systems Manager Parameter Store? If a customer already manages their secrets in either of them, duplicating the secrets inside of pulumi wouldn't be a great UX, but I'd also love to avoid a scenario where pulumi would get the secrets but then store them in clear text in state (something that terraform likes to do)
1
w

white-balloon-205

06/27/2019, 5:49 AM
You can do this today by using the AWS SDK to read secrets, then using
pulumi.secret
to ensure those values get encrypted in the state file. See https://blog.pulumi.com/managing-secrets-with-pulumi for details on the latter. Note that this is something that goes beyond what Terraform currently supports. We are also considering making some of this more first-class, so that you could pull configuration values directly from Secrets Managaer or other cloud secrets stores instead from Pulumi config. We’re tracking that in https://github.com/pulumi/pulumi/issues/1547. But it should be possible to do this already manually today.