Skip to content
This repository was archived by the owner on Jul 10, 2026. It is now read-only.

pulumi/esc

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

331 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Important

The standalone esc CLI has been retired, and this repository is no longer maintained.

Pulumi ESC is not going away. It now ships as part of the Pulumi CLI, and its source lives in pulumi/pulumi. Install the Pulumi CLI from pulumi.com/docs/install, then use pulumi env in place of esc:

  • esc env <command> becomes pulumi env <command> — for example, esc env ls becomes pulumi env ls.
  • esc open and esc run become pulumi env open and pulumi env run.
  • esc login and esc logout become pulumi login and pulumi logout.

v0.26.0 is the final standalone release. Existing binaries keep working, but receive no further updates, including security fixes. Please file issues and pull requests against pulumi/pulumi.

Secrets Management for Multi-Cloud Environments

Pulumi ESC is a centralized secrets management & orchestration service that makes it easy to tame secrets sprawl and configuration complexity securely across all your cloud infrastructure and applications. You can pull and sync secrets with any secrets store – including HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, 1Password, and more – and consume secrets in any application, tool, or CI/CD platform.

Pulumi ESC simplifies the adoption of dynamic, on-demand secrets as a best practice. It leverages Pulumi Cloud identity, RBAC, Teams, SAML/SCIM, OIDC, and scoped access tokens used for Pulumi IaC to ensure secrets management complies with enterprise security policies. Every time secrets or configuration values are accessed or changed with Pulumi ESC, the action is fully logged for auditing. So you can trust (and prove) your secrets are secure. Pulumi ESC makes it easy to eliminate the need for developers to copy and paste secrets and store them in plaintext on their computers. Developers can easily access secrets via CLI, API, Kubernetes operator, the Pulumi Cloud UI, and in-code with Typescript/Javascript, Python, and Go SDKs.

Be sure to check out the Pulumi ESC explainer video.

Table of contents

Pulumi ESC Demo

Pulumi ESC not only works great for your applications and IaC, including Pulumi IaC, but it also makes your day-to-day developer workflow much more secure and streamlined. For example, the Pulumi CLI allows you to give your developers immediate, just-in-time authenticated, and short-lived access to cloud credentials across any cloud provider with just a single command: pulumi env run aws-staging -- aws s3 ls.

In this example, an ESC environment named aws-staging has all the necessary staging environment configuration and OIDC setup to connect to AWS. Running this command opens up a temporary environment and executes the aws s3 ls command in that environment. The temporary AWS credentials are not stored anywhere, making them secure and also allowing you to switch between different environments dynamically.

Pulumi's open source secrets management solution overview

Pulumi ESC is also offered as a managed service as part of Pulumi Cloud, and this repo contained the implementation of the following key components of the ESC open source secrets and configuration management solution, both of which now live in pulumi/pulumi:

  1. The esc CLI: A CLI tool for managing and consuming environments, secrets and configuration using Pulumi ESC. It is now the pulumi env command.
  2. The Pulumi ESC evaluator: The core specification and implementation of the document format for defining environments, and the syntax and semantics for evaluating environments to produce a set of configuration and secrets.

Getting Started with Pulumi ESC

For a hands-on, self-paced tutorial see our Pulumi ESC Getting Started to quickly get up and running.

Download and Install Pulumi ESC

Pulumi ESC ships as part of the Pulumi CLI. Install it by running the following (see full installation instructions for additional installation options):

$ curl -fsSL https://get.pulumi.com/ | sh

Then use the pulumi env command:

$ pulumi env ls

The retired standalone esc CLI can still be installed with curl -fsSL https://get.pulumi.com/esc/install.sh | sh, but it is frozen at v0.26.0 and receives no further updates.

Building the ESC CLI Locally

The ESC CLI and evaluator are built from pulumi/pulumi. See that repository's contributing guide for build instructions.

How Pulumi ESC Works

Pulumi ESC: Open source secrets management overview

  1. Pulumi ESC enables you to define environments, which are collections of secrets and configuration. Each environment can be composed from multiple environments.
  2. Pulumi ESC supports a variety of configuration and secrets sources, and it has an extensible plugin model that allows third-party sources.
  3. Pulumi ESC has a rich API that allows for easy integration. Every value in an environment can be accessed from any execution environment.
  4. Every environment can be locked down with RBAC, versioned, and audited.

Why Pulumi ESC?

Pulumi ESC was designed to address a set of challenges that many infrastructure and application development teams face in managing configuration and secrets across their various environments:

  • Stop secret sprawl: Pull and sync secrets and configuration with any secrets store – HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, 1Password, and more – and consume in any application, tool, or CI/CD platform.
  • Trust (and prove) your secrets are secure: Adopt dynamic, short-lived secrets on demand as a best practice. Lock down every environment with RBAC, versioning, and a full audit log of all changes.
  • Ditch .env files: No more copying-and-pasting secrets or storing them in plaintext on dev computers. Developers can easily access secrets via CLI, API, Kubernetes operator, the Pulumi Cloud UI, and SDKs.
  • Use with or without Pulumi IaC: Use Pulumi ESC independently, or use with Pulumi IaC to support storing secrets in config in a more secure way than using plaintext.

Pulumi ESC was born to address these problems and needs head on with the following features.

Pulumi ESC Features

  • Centralized secrets management: Access, share, and manage confidential information such as secrets, passwords, and API keys as well as configuration information such as network settings and deployment options.
  • Secrets orchestration: Pull and sync configuration and secrets from any secrets store and consume in any application, tool, or CI/CD platform.
  • Composable environments: Environments support importing one into another, allowing for easy composability and inheritance of shared secrets and configuration.
  • Versionable: Every change to an environment as well as any of its secrets and configuration is versioned, so rolling back or accessing an old version is easy.
  • Role-based access control (RBAC): Role-based access controls (RBAC) makes it easy to secure your secrets and configurations by assigning permissions to users based on their role within your organization.
  • Dynamic Secrets: Generate just-in-time, short-lived credentials that revoke access when the lease expires.
  • Audit Logging: All actions taken on environments, secrets, or configuration values are fully logged for auditing.
  • Developer-friendly: Developers can easily access secrets via CLI, API, Kubernetes operator, the Pulumi Cloud UI, and in-code with Typescript/Javascript, Python, and Go SDKs.

Community

  • Join us in the Pulumi Community Slack to connect with our community and engineering team and ask questions. All conversations and questions are welcome.
  • Send us a tweet via @PulumiCorp
  • Watch videos and workshops on Pulumi TV

Resources

About

Pulumi ESC is a centralized, secure service for environments, secrets, and configuration management, optimized for multi-cloud infrastructures and applications.

Topics

Resources

License

Contributing

Security policy

Stars

285 stars

Watchers

15 watching

Forks

Packages

 
 
 

Contributors

Languages