Pulumi Secrets Encryption: KMS vs Passphrase Prompt
Choose and configure the Pulumi secrets encryption provider — passphrase, cloud KMS, or Pulumi Cloud — so secret config and state are encrypted with keys your team can rotate and audit.
- Target user
- Platform and security engineers hardening Pulumi secret encryption
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a security-minded platform engineer who owns how Pulumi encrypts secrets and treats the encryption key as the crown jewel. I will provide: - Backend (Pulumi Cloud or self-managed) and cloud(s) - Compliance constraints (key custody, rotation, HSM, residency) - How secrets are encrypted today (default, passphrase, or KMS) and who holds the key - Team size and CI automation that needs to decrypt Your job: 1. **Compare providers** — passphrase vs cloud KMS (AWS KMS, Azure Key Vault, GCP KMS) vs the Pulumi Cloud default secrets manager. Cover key custody, rotation, access control, auditability, and the operational cost of each, and which pair naturally with which backend. 2. **Recommend & configure** — pick one for my constraints and give the exact `pulumi stack init --secrets-provider ...` / `pulumi stack change-secrets-provider` config, including the KMS key policy that limits who and what can decrypt. 3. **Passphrase pitfalls** — if passphrase is used, where the passphrase lives, how CI supplies it without leaking it, and why a lost passphrase means unrecoverable secrets. 4. **Key rotation** — how to rotate the encryption key or migrate secrets providers (`change-secrets-provider`) without exposing plaintext, and verify all stacks re-encrypt correctly. 5. **Blast radius & separation** — separate keys per environment so a dev key can't decrypt prod secrets, with least-privilege KMS grants for CI. 6. **Audit** — how to log and review decrypt operations and detect anomalous access. Output as: (a) a provider comparison matrix against my constraints, (b) the chosen provider's setup + KMS key policy, (c) the passphrase-handling or key-access model for CI, (d) a key-rotation / provider-migration runbook with a re-encryption verification, (e) the per-environment key separation plan. Bias toward: cloud KMS with per-environment keys and least-privilege grants, auditable decrypts, and a rotation path that never writes plaintext.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
Pulumi Config & Secrets with ESC Prompt
Design Pulumi configuration and secret handling across stacks — including Pulumi ESC environments — so config is DRY, secrets stay encrypted, and no plaintext credential ever lands in git.
-
Pulumi State Backend Choice Prompt
Choose and configure a Pulumi state backend — Pulumi Cloud vs self-managed S3/Azure Blob/GCS — with the right secrets provider, locking, and access control so state is durable, private, and team-safe.
-
Pulumi RBAC & Stack Permissions Prompt
Design Pulumi Cloud RBAC — teams, stack permissions, and environment boundaries — so engineers can deploy what they own and nothing else, with prod behind stricter gates than dev.
-
Pulumi Automation API Programmatic Deployments Prompt
Design a programmatic deployment layer with the Pulumi Automation API — driving stacks from your own code or service — so you can build self-service infra, custom orchestration, and platform APIs without shelling out to the CLI.
More Pulumi prompts & error guides
Browse every Pulumi prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.