Open pierskarsenbarg opened 2 days ago
Pulumi allows users to bring their own encryption key as a secret provider.
It's possible to use ESC and the Pulumi CLI in non-interactive mode to grant access to the key and run an update.
So for example, with this Pulumi program:
import * as random from "@pulumi/random"; export const pw = new random.RandomPassword("pw", { length: 20 }).result;
and this environment:
values: aws: region: eu-west-1 creds: fn::open::aws-login: oidc: duration: 1h roleArn: arn:aws:iam::{accountId}:role/{roleName} sessionName: pulumi-environments-session environmentVariables: AWS_ACCESS_KEY_ID: ${aws.creds.accessKeyId} AWS_SECRET_ACCESS_KEY: ${aws.creds.secretAccessKey} AWS_SESSION_TOKEN: ${aws.creds.sessionToken} AWS_REGION: ${aws.region}
I can run pulumi env run {escProjectName}/{environmentName} -- pulumi up --yes (--yes is needed because we're running Pulumi in non-interactive mode) and this will work.
pulumi env run {escProjectName}/{environmentName} -- pulumi up --yes
--yes
It would be nice to be able to do this just with pulumi up
pulumi up
Pulumi allows users to bring their own encryption key as a secret provider.
It's possible to use ESC and the Pulumi CLI in non-interactive mode to grant access to the key and run an update.
So for example, with this Pulumi program:
and this environment:
I can run
pulumi env run {escProjectName}/{environmentName} -- pulumi up --yes
(--yes
is needed because we're running Pulumi in non-interactive mode) and this will work.It would be nice to be able to do this just with
pulumi up
Affected feature