This message was deleted.
# general
s
This message was deleted.
l
If you use the service as your secret manager, then yes, it's not an issue.
👍 1
g
We have a multi-account setup and each account has a specific
kms cmk
and use
aws-vault
for sessions so all my pulumi commands are either prefixed with
aws-vault exec
or I run the vault in the shell. We do not have CI/CD yet and I see the benefit of different KMS keys as an extra layer of protection against human error. But if you are going to use Pulumi service only for secrets instead of storing the state (I think) https://www.pulumi.com/docs/intro/concepts/secrets/#secrets
e
b
it is possible to have distinct kms keys, but you need to assume role and grab temporary credentials, and it's very finicky. again, this is where the service comes into effect because it removes all the management overhead here you can't use the service only for storing secrets