pulumi-esc
Centralized secrets, configuration, and dynamic credentials management for Pulumi infrastructure and applications.
- Supports environment composition through imports and layering, with reserved keys for
environmentVariables,pulumiConfig, andfiles - Generates short-term credentials via OIDC for AWS, Azure, and GCP; integrates with AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, and 1Password
- Core CLI commands include
pulumi env init,pulumi env edit,pulumi env open(reveals secrets), andpulumi env runfor executing commands with loaded environment variables - Provides fine-grained RBAC, version control, and audit trails for all configuration changes
Pulumi ESC (Environments, Secrets, and Configuration)
Pulumi ESC is a centralized service for managing environments, secrets, and configuration across cloud infrastructure and applications.
What is ESC?
ESC enables teams to:
- Centralize secrets and configuration in one secure location
- Compose environments by importing and layering configuration
- Generate dynamic credentials via OIDC for AWS, Azure, GCP
- Integrate external secret stores (AWS Secrets Manager, Azure Key Vault, Vault, 1Password)
- Version and audit all configuration changes
- Control access with fine-grained RBAC
Essential CLI Commands
# Create a new environment
More from pulumi/agent-skills
pulumi-arm-to-pulumi
Convert or migrate Azure ARM (Azure Resource Manager) templates, Bicep templates, or code to Pulumi, including importing existing Azure resources. This skill MUST be loaded whenever a user requests migration, conversion, or import of ARM templates, Bicep templates, ARM code, Bicep code, or Azure resources to Pulumi.
1.6Kpulumi-best-practices
Load when the user is writing, reviewing, or debugging Pulumi TypeScript/Python programs; asks about Output<T> or apply() usage; wants to create ComponentResource classes; needs to refactor resources without destroying them (aliases); is setting up secrets or config; or is configuring a pulumi preview/up CI workflow. Also load for questions about resource dependency order, parent/child resource relationships, or pulumi.interpolate.
1.1Kpulumi-component
Guide for authoring Pulumi ComponentResource classes. Use when creating reusable infrastructure components, designing component interfaces, setting up multi-language support, or distributing component packages.
643pulumi-automation-api
Load this skill when a user asks how to run Pulumi programmatically, embed Pulumi in an application, orchestrate multiple stacks in code, build a self-service infrastructure portal, replace pulumi CLI shell scripts with code, or use the Pulumi Automation API (LocalWorkspace, createOrSelectStack, inline programs). Also load for questions about multi-stack sequencing, parallel deployments, or passing outputs between stacks via code.
603pulumi-terraform-to-pulumi
Migrate Terraform/OpenTofu projects to Pulumi, including translating HCL source code and/or importing Terraform state into a Pulumi stack. Use when a user wants to convert Terraform to Pulumi, migrate from HCL, or import tfstate into Pulumi. Do NOT trigger for general Terraform-vs-Pulumi comparisons or questions about using both tools side-by-side.
453pulumi-cdk-to-pulumi
Load this skill when a user wants to migrate, convert, port, translate, or move an AWS CDK application (including CDK stacks, constructs, or CloudFormation-synthesized templates) to Pulumi. Phrases such as "convert CDK to Pulumi", "migrate CDK app", "port CDK stacks", "replace CDK with Pulumi", "stop using CDK". Do NOT load for general CDK questions, CDK-only help, or CDK vs Pulumi comparisons where no migration is requested.
422