What news from AWS re:Invent last week will have the most impact on you?
Amazon Q, an AI chatbot for explaining how AWS works.
Super-fast S3 Express storage.
New Graviton 4 processor instances.
Emily Freeman leaving AWS.
I don't use AWS, so none of this will affect me.
Infrastructure as Code / Platform Engineering / Software Development

Pulumi Intros New Secrets Management, Platform Engineering Tools

Pulumi tames configuration and secrets sprawl, and a customizable internal developer portal (IDP) for platform engineering teams.
Oct 16th, 2023 8:41am by
Featued image for: Pulumi Intros New Secrets Management, Platform Engineering Tools

Infrastructure as code (IaC) specialist Pulumi has announced new products to manage configuration and secrets sprawl as well as to support platform engineering.

One of the products, Pulumi ESC, enables organizations to manage Environments, Secrets, and Configurations for cloud infrastructure and applications.

100 Times Better

“I’m excited by the ESC product because it’s category creation,” Eric Rudder, co-founder and chairman of Pulumi, told The New Stack. “You know, a lot of times you will have a slightly better way of doing something. I think Pulumi is 10x better than coding in YAML or CloudFormation. But our goal is to get to 100x better, partly by using some of the generative AI technology that we launched on Pulumi AI and Insights. But there is no product on the market that really solves this set of problems. Most of the stuff we’ve done at Pulumi you need to use Pulumi as your IaC solution to benefit from it. With ESC that’s not the case. So even if you’re a CloudFormation customer or a Terraform customer, you can still keep your security information in ESC. So this is sort of the first product out there that appeals to the broadest set of infrastructure developers.”

Pulumi ESC enables developers to define reusable environments that combine secrets from multiple sources, including Pulumi IaC, AWS KMS, Azure Key Vault, Google Cloud KMS, OpenID Connect (OIDC) Relying Parties, 1Password, and HashiCorp Vault, the company said. Applications can consume these environments from any cloud execution context or tool, including Pulumi, Terraform, Cloudflare Workers, GitHub Actions or Docker.

Moreover, Pulumi ESC gives organizations a central way to define and scale cloud applications, without worrying about secrets leaking or credentials needlessly proliferating across developer desktops, the company said.

“With Pulumi ESC, our community can now bring additional critical aspects of infrastructure management into their Pulumi workflow,” said Luke Hoban, CTO of Pulumi, in a statement. “We wanted to build a general purpose configuration and secrets management solution that worked seamlessly with any infrastructure or application that could be used by multiple teams, with different roles, within an organization. Every interaction needed a security and auditability guarantee.”


Cloud applications typically rely on many different cloud and SaaS services. Every application has multiple development, test, and production environments, often spread across multiple regions. Each environment accesses a multitude of configurations, which include network settings, deployment options, API Keys, and other important secrets, such as database credentials. At scale, this complexity too often leads to sprawl, lack of visibility and control, and improper scope, the company said.

“Pulumi makes it easy to manage infrastructure across complex environments,” said Dennis Sauvé, DevOps Engineer, Washington Trust Bank. “We need to manage an ever-growing number of environments, each with its own configuration and secrets.


Pulumi ESC includes several features and capabilities, including:

  • Define Anywhere, Consume Anywhere: ESC can pull configuration and secrets from any source, and consume them in any application. Users can adopt ESC independently of Pulumi’s Infrastructure as Code offerings.
  • Identity-Integrated and Auditable: ESC integrates with Pulumi Cloud’s identity and Role Based Access Control (RBAC) facilities, allowing teams finer-grained control over sensitive information. ESC includes deep integration with any SAML IdP including Azure AD, Microsoft Entra ID, Okta, Google Workspace, and many others. ESC fully supports auditing of all changes to the Environments, Secrets and Configurations it manages.
  • Static and Dynamic, Short-Lived Secrets: ESC provides facilities for both static and dynamic secrets. Short-lived secrets, like those supported via OIDC, are seen as best practice, yet are not well supported across key systems, forcing teams to use static secrets, which are inherently less secure. ESC makes adopting short-lived, dynamic secrets seamless, combining the security benefits of dynamic solutions with the ease of static configuration.
  • Hierarchical and Composable: Multiple environments can be defined and composed together, eliminating “copy and paste errors” and enabling auditability and traceability into shared configuration changes.
  • Open Source and Managed: The ESC client SDKs, CLI, and plugins are all open source, and the Pulumi Cloud offers a fully managed experience. Pulumi Cloud can also be self-hosted on-premises behind the firewall or in any public cloud for advanced compliance needs.

Reducing Cost and Risk

“With these announcements, Pulumi fills some blanks in its portfolio and becomes a viable alternative for Infrastructure as Code (IaC) solutions,” Larry Carvalho, an analyst at RobustCloud. “The new Series C investment [$41M] and the fact that they are still an open source solution should comfort customers. As managing secrets gets complex in a multicloud environment, Pulumi ESC can reduce operational costs while reducing risks.”

Currently, Pulumi ESC is available for free as a public preview with the company’s intent to eventually offer multiple tiered versions, including a free offering and others with advanced Enterprise and Business Critical capabilities.

“Pulumi IaC simplifies infrastructure management so that our developers can release Fusion, our hardware development platform, fast and reliably,” said Alfred Stappenbeck, Principal Cloud Software Engineer, Stoke Space, in a statement. “We deliver new features and updates to our customers at a very rapid pace, and we can’t allow configuration sprawl to slow us down. Without a modular configuration model, our teams could lose track of changes and dependencies. We welcome these comprehensive tools to manage our configurations and secrets.”

“Today, IT teams need to securely connect everyone and everything. Too often, cloud, SaaS, internet, and on-premises domains are painfully disconnected. Making all these systems talk to each other is simply too difficult,” said Dane Knecht, SVP, Emerging Technology and Incubation at Cloudflare, in a statement. Cloudflare is a design partner for Pulumi ESC helping to eliminate the burden of ad-hoc secrets and configuration management, he noted.

Pulumi for Platform Teams

Meanwhile, the company also introduced Pulumi for Platform Teams, to help platform engineering teams increase agility, compliance, and security. It includes the Pulumi Developer Portal for self-serve provisioning, a CNCF Backstage plugin, Compliance-ready Policies and Remediation Policies, for automatic adherence to organizational best practices. In addition, the company also announced general availability of Pulumi Deployments for deployment orchestration.

“Infrastructure as Code is an essential piece of every developer platform,” said David Tuite, Chief Roadie. “We’re excited to have Pulumi join the Backstage ecosystem because it helps teams collaborate using their favorite programming language instead of relying on domain-specific languages.”

Internal developer portals (IDPs) enable developers to quickly provision approved infrastructure, boosting productivity with pre-configured architectures and automated testing.


“Pulumi delivers a set of capabilities that aim to optimize developer productivity through self-service, while simultaneously providing the platform team with the governance needed to consistently ensure compliance, reliability, performance, and cost control,” said Torsten Volk, an analyst at Enterprise Management Associates. With this release, Pulumi positions its IaC platform as the standard for implementing infrastructure-as-code in a scalable manner, by providing a simple vending machine for consistent infrastructure stacks across projects, apps, and clouds. Pulumi nicely complements its consistency — and simplicity — story by also introducing a solution for the centralized management of configuration data and secrets. This provides platform engineers with the central control they need to proactively manage security and compliance within complex distributed applications.”

Organizations can now use Pulumi’s building blocks for creating and customizing IDPs. These platforms are inherently many-cloud and frequently center around the adoption of Kubernetes, the company said.

“Pulumi for Platform Teams is essentially empowering platform engineering,” Rudder said. It supports security policy, policy as code, templates, role-based access control and more. “So a lot of elements of platform engineering are definitely things that we think about in the Pulumi offering. “Whether we market it as platform engineering, or market it as platform teams or developer portal, there’s lots of terms that are very similar or slightly adjacent,” he said.

“Combined, the new developer platform capabilities and the centralized management solution for configuration and security of app stacks can help bring organizations closer to their goal of providing developers with the maximum degree of freedom, while at the same time delivering a solution for centralized governance to platform engineers. This is exciting news!” Volk told The New Stack.

Platform Features

New Pulumi capabilities for platform teams include:

  • Pulumi Developer Portal – Enable Self-Serve Infrastructure
  • Pulumi Developer Portal provides platform teams with an out-of-the-box Service Catalog experience so that developers can deploy from Pulumi Cloud. It supports advanced integration with source control, CI/CD, and custom workflows through a REST API. It is available in all Pulumi Cloud offerings, with private template hosting offered in both the Enterprise and Business Critical editions.
  • Pulumi Backstage Plugin – Integrate with Existing Self-Serve Portals
  • The new plugin integrates Pulumi Developer Portal with CNCF’s Backstage, enabling developers to browse, provision, and monitor infrastructure using both platforms. It is available on the Backstage and Roadie Marketplaces immediately.
  • Compliance-ready Policies – Enforce Rules on AWS, Azure, Google Cloud, and Kubernetes
  • Platform teams can now use hundreds of Pulumi CrossGuard policies for automating compliance and best practices, eliminating custom policy creation. Teams can build policy packs for any cloud, service, and topic (e.g. Network, Encryption, Logging, or Storage), with support for key compliance frameworks, such as PCI DSS, ISO 27001, SOC 2, and CIS.
  • Remediation Policies – Automatically Fix Compliance Issues
  • With Remediation Policies, Pulumi’s policy as code engine allows platform teams to author policies that automatically correct configuration violations, such as auto-tagging, Internet access control, and enabling storage encryption. Remediation is available in the open source engine with organization-wide configuration and enforcement for business-critical customers.

In addition, the general availability of Pulumi Deployments, which the company introduced last November. Pulumi Deployments is a fast and flexible way to deploy infrastructure on any cloud and at any scale, using GitHub pull requests, API calls, and console. No CLI setup is needed since Pulumi Cloud manages deployments.

Developer Platform in a Box

“Pulumi Deployments is easier to set up for new projects than our in-house developed CI/CD pipelines for running Pulumi,” said Mark Morlino, DevOps Engineer at Boost Insurance, in a statement. “It’s more fully featured and has much better integration with our version control system. The best part is that I don’t have to maintain it myself, so I can spend more time focused on other tasks.”

Pulumi Deployments allows platform teams to orchestrate automated deployment workflows, standardizing deployment processes and eliminating custom provisioning systems.

Rudder said it contains features that are difficult to build in-house, such as Git Push-to-deploy, ephemeral environments, and UI-based deployment triggers. API extensibility enables drift detection and remediation, stale infrastructure cleanup, and blue/green and multi-region deployments. Enhancements also include OIDC configuration, Slack and Microsoft Teams integration, GitHub Enterprise support, and self-hosted runners, the company said.

The product experienced 2,500% growth during its Beta and is now available to Team Edition customers. Pulumi said the first 3,000 deploy minutes per month are free, and $0.010 per deploy minute thereafter. Custom pricing is available to Pulumi Enterprise and Business Critical customers.

“Pulumi has been pivotal in our Kubernetes migration and simplified cluster upgrade rollouts down to single-line code changes, and we’re on a path to have all resources managed by Pulumi,” said Raildo Mascena, Senior Software Engineer, VTEX, in a statement.

Pulumi Platform Teams is viewed as an organization’s internal developer platform in a box, Rudder said.

“When we spend time with our community, it’s clear that empowered platform teams are an absolute must,” said Joe Duffy, CEO of Pulumi, in a statement. “Unfortunately, we see too many folks recreating the same wheel. The new Pulumi for Platform Teams capabilities help companies get up and running more quickly, with built-in security and reliability, allowing them to focus on unique business value with greater impact.”

Group Created with Sketch.
TNS owner Insight Partners is an investor in: Enable, The New Stack, Docker.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.