![[The AI Show Episode 142]: ChatGPT’s New Image Generator, Studio Ghibli Craze and Backlash, Gemini 2.5, OpenAI Academy, 4o Updates, Vibe Marketing & xAI Acquires X](https://www.marketingaiinstitute.com/hubfs/ep%20142%20cover.png)
![[FREE EBOOKS] The Kubernetes Bible, The Ultimate Linux Shell Scripting Guide & Four More Best Selling Titles](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![From drop-out to software architect with Jason Lengstorf [Podcast #167]](https://cdn.hashnode.com/res/hashnode/image/upload/v1743796461357/f3d19cd7-e6f5-4d7c-8bfc-eb974bc8da68.png?#)
.png?#)
.jpg?#)
 (1).webp?#)
_Christophe_Coat_Alamy.jpg?#)
![Rapidus in Talks With Apple as It Accelerates Toward 2nm Chip Production [Report]](https://www.iclarified.com/images/news/96937/96937/96937-640.jpg)
A Serverless secrets manager demo using Pulumi ESC (AWS)
This is a submission for the Pulumi Deploy and Document Challenge: Shhh, It's a Secret! What I Built A serverless secrets manager demo using Pulumi ESC (AWS) to securely retrieve and inject environment variables into a Lambda function. The project demonstrates: Securely storing secrets in Pulumi ESC Fetching secrets programmatically via the Pulumi SDK Injecting secrets into cloud resources without exposing them in code Implementing least-privilege IAM policies Key Files: __main__.py: Core Pulumi program using ESC SDK secrets-manager.tf: Terraform configuration for ESC integration README.md: Full setup guide & security practices My Journey Challenge 1: Initial Setup Complexity Struggled with ESC authentication until I realized Pulumi Copilot wanted explicit region flags (--region us-west-2). Key Prompt: "Show me how to create an AWS secrets manager secret named 'db-creds' with encrypted password field using Pulumi Python SDK" Breakthrough Moment: Discovered Pulumi's Output.secret() method automatically encrypts values using ESC master keys – saving 20+ lines of custom encryption code! Using Pulumi ESC Why ESC? Centralized secrets management for multi-cloud apps Built-in rotation policies Auditing capabilities via CloudTrail SDK Magic: import pulumi_aws as aws # Retrieve secret without hardcoding db_password = aws.secretsmanager.get_secret_value( secret_id="prod/db-credentials", version_stage="AWSCURRENT" ).secret_string.apply(json.loads)["password"] db_user = aws.secretsmanager.get_secret_value( secret_id="prod/db-credentials" ).secret_string.apply(json.loads)["username"] Security Wins: Secrets never appear in deployment logs IAM role strictly limited to secretsmanager:GetSecretValue Automatic secret version rotation enabled Documentation Highlights (From README) Step 1: Enable ESC pulumi login --cloud-url https://esc.example.com pulumi stack init dev Step 2: Create Secret (via CLI) aws secretsmanager create-secret \ --name "prod/db-credentials" \ --secret-string '{"username":"admin","password":"s3cr3t"}' Step 3: Deploy Securely pulumi up --config aws:region=us-west-2 Security Checklist: ✅ Never commit secrets-manager.tf ✅ Use separate stacks for dev/prod ✅ Enable CloudWatch logging for secret access Why This Matters Traditional approaches store secrets in:
This is a submission for the Pulumi Deploy and Document Challenge: Shhh, It's a Secret!
What I Built
A serverless secrets manager demo using Pulumi ESC (AWS) to securely retrieve and inject environment variables into a Lambda function. The project demonstrates:
- Securely storing secrets in Pulumi ESC
- Fetching secrets programmatically via the Pulumi SDK
- Injecting secrets into cloud resources without exposing them in code
- Implementing least-privilege IAM policies
Key Files:
-
__main__.py: Core Pulumi program using ESC SDK -
secrets-manager.tf: Terraform configuration for ESC integration - README.md: Full setup guide & security practices
My Journey
Challenge 1: Initial Setup Complexity
Struggled with ESC authentication until I realized Pulumi Copilot wanted explicit region flags (--region us-west-2).
Key Prompt:
"Show me how to create an AWS secrets manager secret named 'db-creds' with encrypted password field using Pulumi Python SDK"
Breakthrough Moment:
Discovered Pulumi's Output.secret() method automatically encrypts values using ESC master keys – saving 20+ lines of custom encryption code!
Using Pulumi ESC
Why ESC?
- Centralized secrets management for multi-cloud apps
- Built-in rotation policies
- Auditing capabilities via CloudTrail
SDK Magic:
import pulumi_aws as aws
# Retrieve secret without hardcoding
db_password = aws.secretsmanager.get_secret_value(
secret_id="prod/db-credentials",
version_stage="AWSCURRENT"
).secret_string.apply(json.loads)["password"]
db_user = aws.secretsmanager.get_secret_value(
secret_id="prod/db-credentials"
).secret_string.apply(json.loads)["username"]
Security Wins:
- Secrets never appear in deployment logs
- IAM role strictly limited to
secretsmanager:GetSecretValue - Automatic secret version rotation enabled
Documentation Highlights (From README)
Step 1: Enable ESC
pulumi login --cloud-url https://esc.example.com
pulumi stack init dev
Step 2: Create Secret (via CLI)
aws secretsmanager create-secret \
--name "prod/db-credentials" \
--secret-string '{"username":"admin","password":"s3cr3t"}'
Step 3: Deploy Securely
pulumi up --config aws:region=us-west-2
Security Checklist:
✅ Never commit secrets-manager.tf
✅ Use separate stacks for dev/prod
✅ Enable CloudWatch logging for secret access
Why This Matters
Traditional approaches store secrets in:
