05/07/2021, 8:05 PM
Hey folks, I am interested in evaluating Pulumi for my organization, but have a question surrounding provider credentials. In my ideal workflow I would like to provision a very capable IAM role for Pulumi but prevent those credentials from being used/abused outside of the Pulumi plan/apply workflow. Does anyone know if there is a simple way to provide a remote-run/remote-execute environment for Pulumi? Or any way to shield/hide these powerful provider credentials? Thanks in advance! 🙏


05/09/2021, 9:26 PM
Not within Pulumi. There are probably many AWS-specific solutions. For example, you could provide the permissions only via an assumable role, and put a condition on the assumeRolePolicy for the role that limits it to being assumed only from a single, well-protected EC2 instance.
Generally, the security around access keys and secrets are considered enough for most use cases. If you need additional security in depth, then AWS allows access to roles to be restricted in lots of ways, including source IP address, MFA, account of assuming user, etc...


05/13/2021, 4:12 PM
Broadly I would expect to run the sensitive deployments from my CI build environment and those provide various means to protect secrets/keys for use with build pipelines. Pragmatically its straightforward to run pulumi in Azure DevOps, or Github, or CircleCI - all of which would amount to "remote run" enviornments.