Posted on Apr 3

A context-aware secret injection system

#devchallenge #pulumichallenge #webdev #cloud

This is a submission for the Pulumi Deploy and Document Challenge: Shhh, It's a Secret!

What I Built

A context-aware secret injection system that:

Uses Pulumi ESC to bridge secrets between hybrid environments (on-prem + cloud)
Implements policy-as-code for dynamic secret access controls
Auto-generates temporary credentials with TTL using AWS STS
Enforces secrets masking in all CLI outputs

Project Repo

📁 Structure:

. ├── policies/ │ └── iam-policies.ts # Least-privilege role templates ├── secrets/ │ ├── vault-stack.ts # Hybrid secret store orchestrator │ └── kms-wrapper.ts # Cross-account KMS encryption ├── apps/ │ └── batch-processor/ # Demo app using time-bound secrets └── docs/ └── SECURITY.md # Threat model & compliance matrix 🔐

My Journey

Key Breakthroughs:

# Python pseudo-code for hybrid secret resolver def get_secret(context: str): match context: case "dev": return local_vault.get_secret("dev-db") case "prod": return sts.assume_role( role_arn=aws_iam_role.prod_accessor.arn, duration_seconds=3600 )

Overcoming Complexity:

Solved provider-specific secret encoding with custom resource transformers
Mitigated leakage risks using Pulumi's --suppress-outputs in CI pipelines
Created automated policy testing with Pulumi's preview diff analysis

Using Pulumi ESC

Core Architecture:

// Go SDK example for contextual secret injection func InjectSecret(ctx *pulumi.Context, env string) error { secret := secretsmanager.LookupSecret(ctx, env) config.Inject(secret.Value, &pulumi.Config{ Protector: &pulumi.KmsProtector{Key: "alias/esc-protector"}, }) return nil }

Why This Approach?

Unified secret handling across 7 cloud providers
Real-time policy validation before deployment
Zero-trust networking integration with VPC endpoints
Cost-aware secret lifecycle management

Documentation Highlights

🔍 Discovery Features:

1. `pulumi secret ls --env=prod` - List all production secrets 2. `pulumi config encrypt --kms-key=alias/esc-master` - Manual encryption 3. `pulumi secrets audit --days=30` - Compliance reporting

⚠️ Critical Warnings:

+ Never store secret ARNs in unencrypted properties + Always use separate KMS keys for dev/staging/prod + Monitor secret usage with CloudTrail integration

Special Features

🛡️ Secret Version Firewall:

// Auto-reject outdated secret versions const secretVersion = secretsmanager.getSecretVersion({ secretId: "my-secret", versionId: "OLD_VERSION_HASH" }); if (secretVersion.createdDate < Date.now() - 90*24*3600*1000) { throw new Error("Using deprecated secret version!"); }

🔄 Self-Destructing Credentials:

# Temporary credentials auto-delete after 1 hour export DB_CREDENTIALS=$(pulumi secret export db-prod \ --ttl 1h \ --format=json)

Inspiration & Tools:

Leveraged Pulumi's Crossguard for policy-as-code
Inspired by AWS's Secrets Manager Rotation Workshop
Validated architecture using tfsec

Thanks.

DEV Community