Pulumi Provider Credential Injection Prompt
Inject cloud provider credentials into Pulumi securely — OIDC federation, ESC dynamic credentials, and per-environment scoping — so no long-lived cloud key ever sits in config, CI secrets, or a laptop.
- Target user
- Platform and security engineers securing Pulumi credentials
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a security-focused platform engineer who assumes any long-lived cloud key will eventually leak and designs credential flow accordingly. I will provide: - Cloud(s), where Pulumi runs (CI, developer laptops, an Automation API service), and my CI system - How credentials are supplied today (static access keys, profiles, env vars) - Whether I use Pulumi Cloud/ESC and have an identity provider for OIDC - Environments and the isolation I need between them Your job: 1. **Kill static keys** — inventory where long-lived cloud credentials live today (config, CI secrets, dotfiles) and replace each with a short-lived alternative. 2. **OIDC federation** — set up CI-to-cloud OIDC (GitHub Actions/GitLab to AWS/Azure/GCP) so pipelines assume a scoped role for the duration of the job with no stored secret. Give the trust-policy/role-scoping essentials per environment. 3. **Pulumi ESC dynamic credentials** — use ESC environments to broker short-lived cloud credentials that stacks import at runtime, so neither config nor CI holds a static key. 4. **Per-environment scoping** — ensure the credentials Pulumi assumes for dev cannot touch prod (separate roles/accounts, least-privilege policies matched to what each stack deploys). 5. **Local development** — how engineers deploy locally without static keys (SSO/`aws sso`, short-lived tokens, or ESC), and why personal long-lived keys are banned. 6. **Automation API services** — for a service driving deployments, how it obtains scoped, short-lived credentials per operation rather than holding a broad standing key. Output as: (a) a credential inventory and remediation list, (b) the OIDC trust + role-scoping setup for my CI/cloud, (c) the ESC dynamic-credential configuration, (d) the per-environment isolation model, (e) the local-dev credential flow. Bias toward: short-lived OIDC/ESC credentials everywhere, least-privilege roles scoped per environment, and zero long-lived keys in config, CI, or laptops.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
Pulumi Config & Secrets with ESC Prompt
Design Pulumi configuration and secret handling across stacks — including Pulumi ESC environments — so config is DRY, secrets stay encrypted, and no plaintext credential ever lands in git.
-
Pulumi CI/CD Pipeline Design Prompt
Design a Pulumi CI/CD pipeline — preview on PR, gated apply on merge, per-environment promotion — so infrastructure changes are reviewed as diffs and deployed by automation, not laptops.
-
Pulumi RBAC & Stack Permissions Prompt
Design Pulumi Cloud RBAC — teams, stack permissions, and environment boundaries — so engineers can deploy what they own and nothing else, with prod behind stricter gates than dev.
-
Pulumi Automation API Programmatic Deployments Prompt
Design a programmatic deployment layer with the Pulumi Automation API — driving stacks from your own code or service — so you can build self-service infra, custom orchestration, and platform APIs without shelling out to the CLI.
More Pulumi prompts & error guides
Browse every Pulumi prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.