Quick security question about key management practices: So far my keys for GitHub actions deploys into AWS accounts/environments have just been manually added to GitHub Secrets and used as environment variables for Pulumi's action to deploy with. It occurred to me that it would be possible to store those secrets as Pulumi config secrets. Is that considered a safe approach?
02/27/2020, 11:18 PM
By storing your credentials in Pulumi configuration, you are essentially trusting us (Pulumi) with that data. We use AWS KMS to encrypt these secrets, and use a different key for every stack, etc. So we certainly believe you can trust us 🙂
But your organization might instead want more control over how that sensitive data is stored. Perhaps using your own secret store, that Pulumi doesn’t have access to. (You can set things up so that Pulumi only stores the cipher text, but the actual decryption will be handled by some other mechanism you control.)
So storing the secrets in your Pulumi config and not on GitHub isn’t any more or less secure, it’s just different. And if, say, GitHub were to get hacked, the Pulumi access token used in GitHub Actions could be used to retrieve the secret from Pulumi. But the same is true if you needed to store some credential to some different secrets manager.
Does that make sense? Unfortunately there aren’t any great options, you ultimately need to trust your CI/CD provider with really sensitive data. But by storing the sensitive data with Pulumi it is more convenient, because it’s one fewer piece of data to pass around. But it isn’t any more (or less) secure.