Anyone have guidance on how to combine a system like AWS Sec Pulumi Community #general

Anyone have guidance on how to combine a system li...

crooked-laptop-67565

07/08/2022, 7:33 PM

Anyone have guidance on how to combine a system like AWS Secrets Manager with Pulumi? Currently I'm using

Config.requireSecret

to create k8s secrets from Pulumi's config store, eg for my database password. But Secrets Manager's code samples suggest having apps retrieve secrets directly from Secrets Manager. I'm also thinking that rather than using

Config.requireSecret

my Pulumi code could fetch credentials from Secrets Manager and use those to create the k8s secrets...?

billowy-army-68599

07/08/2022, 7:37 PM

lots of options here, putting secrets in Secrets Manager is a good idea. • you can still store the secret in Pulumi config • You would then store that secret in secrets manager using

SecretsVersion

: https://www.pulumi.com/registry/packages/aws/api-docs/secretsmanager/secretversion/ • you can also take the Output from your Pulumi database creation and store it directly, instead of ever storing it in config • you then need to get that secret into you app, which is up to you. Depends on how you're running your application, are you using ECS or something else?

billowy-army-68599

07/08/2022, 7:37 PM

I can maybe put an example together for you using something like wordpress if that helps?

crooked-laptop-67565

07/08/2022, 7:39 PM

An example would be super helpful 🙂 Re: "how are you running your app" it's primarily going to be running on EKS, though I expect we might end up with some vanilla EC2 instances as well, at least when doing testing and dev.

crooked-laptop-67565

07/08/2022, 7:48 PM

Regarding using SecretsVersions - it sounds like in that case the secret starts off in Pulumi's config and then is put in SM. I was thinking of using SM as the canonical/originating source for secrets, because it also solves the problem of having a system that people can look at to see what the secrets are - eg if I need to give an engineer the database credentials so they can connect locally. Secrets could still go into Pulumi's config for doing Pulumi things, but the canonical home would be SM. Though I don't know if that's a good idea

crooked-laptop-67565

07/08/2022, 7:49 PM

Oh I just remembered that Pulumi's config files are encrypted and get checked into Git. So the secrets could safely start off in Pulumi and then be put in SM...

billowy-army-68599

07/08/2022, 7:53 PM

@crooked-laptop-67565 something I often advocate for in these situations is using pulumi-random to generate a password per stack, sotring that in secrets manager and then having users who need that password grabbing it from there or from the Pulumi stack output, as it'd audited that way

crooked-laptop-67565

07/08/2022, 7:57 PM

Oh I like that idea

billowy-army-68599

07/08/2022, 7:58 PM

https://www.pulumi.com/registry/packages/random/api-docs/randompassword/

2 Views

Open in Slack

Previous Next