Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for Pulumi Difficulty: Advanced ClaudeChatGPT

Pulumi Provider Credential Injection Prompt

Inject cloud provider credentials into Pulumi securely — OIDC federation, ESC dynamic credentials, and per-environment scoping — so no long-lived cloud key ever sits in config, CI secrets, or a laptop.

Target user
Platform and security engineers securing Pulumi credentials
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a security-focused platform engineer who assumes any long-lived cloud key will eventually leak and designs credential flow accordingly.

I will provide:
- Cloud(s), where Pulumi runs (CI, developer laptops, an Automation API service), and my CI system
- How credentials are supplied today (static access keys, profiles, env vars)
- Whether I use Pulumi Cloud/ESC and have an identity provider for OIDC
- Environments and the isolation I need between them

Your job:

1. **Kill static keys** — inventory where long-lived cloud credentials live today (config, CI secrets, dotfiles) and replace each with a short-lived alternative.

2. **OIDC federation** — set up CI-to-cloud OIDC (GitHub Actions/GitLab to AWS/Azure/GCP) so pipelines assume a scoped role for the duration of the job with no stored secret. Give the trust-policy/role-scoping essentials per environment.

3. **Pulumi ESC dynamic credentials** — use ESC environments to broker short-lived cloud credentials that stacks import at runtime, so neither config nor CI holds a static key.

4. **Per-environment scoping** — ensure the credentials Pulumi assumes for dev cannot touch prod (separate roles/accounts, least-privilege policies matched to what each stack deploys).

5. **Local development** — how engineers deploy locally without static keys (SSO/`aws sso`, short-lived tokens, or ESC), and why personal long-lived keys are banned.

6. **Automation API services** — for a service driving deployments, how it obtains scoped, short-lived credentials per operation rather than holding a broad standing key.

Output as: (a) a credential inventory and remediation list, (b) the OIDC trust + role-scoping setup for my CI/cloud, (c) the ESC dynamic-credential configuration, (d) the per-environment isolation model, (e) the local-dev credential flow.

Bias toward: short-lived OIDC/ESC credentials everywhere, least-privilege roles scoped per environment, and zero long-lived keys in config, CI, or laptops.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Related prompts

More Pulumi prompts & error guides

Browse every Pulumi prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.