ESC Secrets Rotation Blog

[arunkumar611]

To-do

• GIF
• Link to rotated secrets docs

[pulumi-bot]

Your site preview for commit 6fd6be8 is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-14088-6fd6be87.s3-website.us-west-2.amazonaws.com.

[nyobe]

Does it make sense to create a small pulumi program that creates the required resources for demo? We could create the iam user, the managing role, and use the pulumi-service provider to create the two esc environments that reference them...

[arunkumar611]

If we can. We can say, "if you are a Pulumi IaC user, you can configure all of them using the example program linked. "

[joeduffy]

This would be super cool!

[joeduffy]

Related, thoughts on whether we can write a policy that will find existing secrets that don't have a rotation policy attached to them?

[nyobe]

here is a rough draft of a demo program: https://github.com/pulumi/esc-examples/pull/4/files#diff-79cfb8d111dbf1322eec69e9879d8970e4d7b49c0122afaf96d899cb6fe349da

[nyobe]

Related, thoughts on whether we can write a policy that will find existing secrets that don't have a rotation policy attached to them?

I was led to believe you had volunteered to write one! 😉

I think we should be able to do it. We're going to extend the rotator to add a tag to the user it manages, which might be a way to cheat and make writing a policy easier... 🤔

[nyobe]

maybe consider adding a banner on secret-rotation-with-iac blog post with a link to this one? like "esc now supports this natively!" or something?

[pulumi-bot]

Your site preview for commit e252469 is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-14088-e2524692.s3-website.us-west-2.amazonaws.com.

[pulumi-bot]

Your site preview for commit df1a107 is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-14088-df1a1075.s3-website.us-west-2.amazonaws.com.