No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

How do people rotate their tokens in thrird-party services?

image.png

Hi Raphael :wave:

While not yet documented, we have recently included support for random password and passphrase rotators which can help to support secrets rotation on services not natively supported by ESC.

You can use the `table view`  select `rotator config` and then `memorable passphrase` or `random passsword`  as rotator.

Also, from the `Document View`
```    fn::rotate::password:
      inputs:
        overrideSpecial: "!@#$%&amp;*()-_=+[]{}&lt;&gt;:;"
        minSpecial: 4
        minUpper: 3
        minLower: 2
        length: 15```
```   fn::rotate::passphrase:
      inputs:
        capitalize: true
        length: 4```

Do I understand it correctly, that this applies to passwords generated by ESC?

This does apply to passwards managed by ESC. Is your question how do you rotate secrets owned by third parties such as other Saas?  Each of those services has their own mechanism, sometimes they allow for automation and sometimes they allow only manual rotation. If the service allows for automated rotation and you would like us to consider integrating, please feel free to add a ticket <https://github.com/pulumi/esc/issues|here>.

Yes, I'm talking about tokens generated by third party services.
I have about 20 `secure` entries in my Pulumi.$stack.yaml, mostly tokens generated by third-party services, and it's a small company.
A few of them _requires_ regular rotation, but anyway all of them _should_ be rotated, and most of them has an API for it.

The only thing I found is keydra, but it doesn't look like it has any adoption or repo traffic