Skip to content

Pulumi ESC

Pulumi ESC

Sync environments, configs and secrets from Pulumi ESC to Kubernetes using the External Secrets Operator.

Authentication

Pulumi Access Tokens are recommended to access Pulumi ESC.

Creating a SecretStore

A Pulumi SecretStore can be created by specifying the organization and environment and referencing a Kubernetes secret containing the accessToken.

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: secret-store
spec:
  provider:
    pulumi:
      organization: <NAME_OF_THE_ORGANIZATION>
      environment: <NAME_OF_THE_ENVIRONMENT>
      accessToken:
        secretRef:
          name: <NAME_OF_KUBE_SECRET>
          key: <KEY_IN_KUBE_SECRET>

If required, the API URL (apiUrl) can be customized as well. If not specified, the default value is https://api.pulumi.com.

Referencing Secrets

Secrets can be referenced by defining the key containing the JSON path to the secret. Pulumi ESC secrets are internally organized as a JSON object.

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: secret
spec:
  refreshInterval: 20s
  secretStoreRef:
    kind: SecretStore
    name: secret-store
  data:
  - secretKey: <KEY_IN_KUBE_SECRET>
    remoteRef:
      key: <PULUMI_PATH_SYNTAX>

Note: key is not following the JSON Path syntax, but rather the Pulumi path syntax.

Examples

  • root
  • root.nested
  • root["nested"]
  • root.double.nest
  • root["double"].nest
  • root["double"]["nest"]
  • root.array[0]
  • root.array[100]
  • root.array[0].nested
  • root.array[0][1].nested
  • root.nested.array[0].double[1]
  • root["key with \"escaped\" quotes"]
  • root["key with a ."]
  • ["root key with \"escaped\" quotes"].nested
  • ["root key with a ."][100]
  • root.array[*].field
  • root.array["*"].field

See Pulumi's documentation for more information.