This message was deleted.

sparse-intern-71089

03/08/2022, 3:53 AM

This message was deleted.

little-cartoon-10569

03/08/2022, 4:08 AM

If you use the service as your secret manager, then yes, it's not an issue.

👍 1

great-sunset-355

03/08/2022, 10:12 AM

We have a multi-account setup and each account has a specific

kms cmk

and use

aws-vault

for sessions so all my pulumi commands are either prefixed with

aws-vault exec

or I run the vault in the shell. We do not have CI/CD yet and I see the benefit of different KMS keys as an extra layer of protection against human error. But if you are going to use Pulumi service only for secrets instead of storing the state (I think) https://www.pulumi.com/docs/intro/concepts/secrets/#secrets

echoing-dinner-19531

03/08/2022, 3:35 PM

This sounds like https://github.com/pulumi/pulumi/issues/2823

billowy-army-68599

03/08/2022, 3:57 PM

it is possible to have distinct kms keys, but you need to assume role and grab temporary credentials, and it's very finicky. again, this is where the service comes into effect because it removes all the management overhead here you can't use the service only for storing secrets

34 Views

Open in Slack

Previous Next

Pulumi Community

No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.