07/11/2021, 8:17 AM
Hi, Iv’e recently started seeing several organizations working with Pulumi, It’s great to see the ease of use and how much power they have when writing code. As a security professional I have some questions and issues I am trying to figure out on best practices for working with Pulumi. As it is executing the code as the way the framework works, and if I want to run it in my CI with “pulumi preview” and CrossGuard, How can I prevent a malicious user writing code that will steal my secrets? I tried looking in the documentation and found nothing about the secure way to use Pulumi. Thanks in advance, Rotem


07/11/2021, 3:32 PM
Hi Rotem, As with everything security related, layering is obviously important 🙂 Pulumi specifically, the secrets themselves are encrypted both in your stack configuration and throughout your state. You can check this by setting a secret `pulumi config set my-secret "correct-horse-battery-stable" --secret and then exporting your state
pulumi state export
You have some options for secret encryption, you can either use the Pulumi provider key (which is unique to your org/user) or you can use a secret provider like Amazon KMS, which of course then allows you to put key policies on those keys as well. There's more information here: Happy to answer any other questions though!