{"id":14572987,"url":"https://github.com/pulumi/esc","last_synced_at":"2026-02-10T23:07:25.958Z","repository":{"id":199370331,"uuid":"682206028","full_name":"pulumi/esc","owner":"pulumi","description":"Pulumi ESC is a centralized, secure service for environments, secrets, and configuration management, optimized for multi-cloud infrastructures and applications.","archived":false,"fork":false,"pushed_at":"2026-02-07T18:46:49.000Z","size":17292,"stargazers_count":279,"open_issues_count":150,"forks_count":16,"subscribers_count":17,"default_branch":"main","last_synced_at":"2026-02-07T21:59:29.291Z","etag":null,"topics":["api-key-security","cloud-config","config","configuration-management","environment-variables","key-management","multi-cloud","secret-manager","secrets","secrets-management","security-toolset"],"latest_commit_sha":null,"homepage":"https://www.pulumi.com/product/esc/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/pulumi.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-08-23T17:10:06.000Z","updated_at":"2026-02-06T21:35:30.000Z","dependencies_parsed_at":"2023-12-18T18:09:20.378Z","dependency_job_id":"5b78337e-5526-40ad-a53a-f3dcda229902","html_url":"https://github.com/pulumi/esc","commit_stats":{"total_commits":178,"total_committers":17,"mean_commits":"10.470588235294118","dds":0.398876404494382,"last_synced_commit":"af879e57d9490cd4eeca05fbe6ef0a60499b0797"},"previous_names":["pulumi/esc","pulumi/environments"],"tags_count":51,"template":false,"template_full_name":null,"purl":"pkg:github/pulumi/esc","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pulumi%2Fesc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pulumi%2Fesc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pulumi%2Fesc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pulumi%2Fesc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/pulumi","download_url":"https://codeload.github.com/pulumi/esc/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pulumi%2Fesc/sbom","scorecard":{"id":749405,"data":{"date":"2025-08-11","repo":{"name":"github.com/pulumi/esc","commit":"b01c053736ef2a7c9d4b5999169c4e33cde19585"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":6.1,"checks":[{"name":"Maintained","score":10,"reason":"20 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: topLevel permissions set to 'write-all': .github/workflows/export-repo-secrets.yml:1"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/export-repo-secrets.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/pulumi/esc/export-repo-secrets.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/export-repo-secrets.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/pulumi/esc/export-repo-secrets.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish-release.yaml:56: update your workflow using https://app.stepsecurity.io/secureworkflow/pulumi/esc/publish-release.yaml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-release.yaml:58: update your workflow using https://app.stepsecurity.io/secureworkflow/pulumi/esc/publish-release.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish-release.yaml:62: update your workflow using https://app.stepsecurity.io/secureworkflow/pulumi/esc/publish-release.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish-release.yaml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/pulumi/esc/publish-release.yaml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-release.yaml:96: update your workflow using https://app.stepsecurity.io/secureworkflow/pulumi/esc/publish-release.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish-release.yaml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/pulumi/esc/publish-release.yaml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/stage-lint.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/pulumi/esc/stage-lint.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/stage-lint.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/pulumi/esc/stage-lint.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/stage-lint.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/pulumi/esc/stage-lint.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/stage-lint.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/pulumi/esc/stage-lint.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/stage-lint.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/pulumi/esc/stage-lint.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/stage-lint.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/pulumi/esc/stage-lint.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/stage-publish.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/pulumi/esc/stage-publish.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/stage-publish.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/pulumi/esc/stage-publish.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/stage-publish.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/pulumi/esc/stage-publish.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/stage-publish.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/pulumi/esc/stage-publish.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/stage-test.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/pulumi/esc/stage-test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/stage-test.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/pulumi/esc/stage-test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/stage-test.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/pulumi/esc/stage-test.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/stage-test.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/pulumi/esc/stage-test.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/stage-test.yml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/pulumi/esc/stage-test.yml/main?enable=pin","Info:   0 out of  11 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of  12 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v0.17.0 not signed: https://api.github.com/repos/pulumi/esc/releases/236996604","Warn: release artifact v0.16.0 not signed: https://api.github.com/repos/pulumi/esc/releases/236662611","Warn: release artifact v0.15.0 not signed: https://api.github.com/repos/pulumi/esc/releases/235784884","Warn: release artifact v0.14.3 not signed: https://api.github.com/repos/pulumi/esc/releases/226015623","Warn: release artifact v0.14.2 not signed: https://api.github.com/repos/pulumi/esc/releases/216578345","Warn: release artifact v0.17.0 does not have provenance: https://api.github.com/repos/pulumi/esc/releases/236996604","Warn: release artifact v0.16.0 does not have provenance: https://api.github.com/repos/pulumi/esc/releases/236662611","Warn: release artifact v0.15.0 does not have provenance: https://api.github.com/repos/pulumi/esc/releases/235784884","Warn: release artifact v0.14.3 does not have provenance: https://api.github.com/repos/pulumi/esc/releases/226015623","Warn: release artifact v0.14.2 does not have provenance: https://api.github.com/repos/pulumi/esc/releases/216578345"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/pulumi/.github/SECURITY.md:1","Info: Found linked content: github.com/pulumi/.github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/pulumi/.github/SECURITY.md:1","Info: Found text in security policy: github.com/pulumi/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: all commits (30) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":5,"reason":"5 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2022-0635","Warn: Project is vulnerable to: GO-2022-0646","Warn: Project is vulnerable to: GO-2025-3754 / GHSA-2x5j-vhc8-9cwm","Warn: Project is vulnerable to: GO-2025-3595 / GHSA-vvgc-356p-c3xw","Warn: Project is vulnerable to: GO-2025-3488 / GHSA-6v2p-p543-phr9"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-22T19:48:56.861Z","repository_id":199370331,"created_at":"2025-08-22T19:48:56.861Z","updated_at":"2025-08-22T19:48:56.861Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29321277,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-10T20:44:44.282Z","status":"ssl_error","status_checked_at":"2026-02-10T20:44:43.393Z","response_time":65,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["api-key-security","cloud-config","config","configuration-management","environment-variables","key-management","multi-cloud","secret-manager","secrets","secrets-management","security-toolset"],"created_at":"2024-09-07T09:01:22.371Z","updated_at":"2026-02-10T23:07:25.935Z","avatar_url":"https://github.com/pulumi.png","language":"Go","readme":"\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://www.pulumi.com?utm_campaign=pulumi-esc-github-repo\u0026utm_source=github.com\u0026utm_medium=top-logo\" title=\"Pulumi ESC: Open source secrets management solution\"\u003e\n    \u003cimg src=\"https://www.pulumi.com/images/logo/logo-on-white-box.svg?\" width=\"350\"\u003e\n   \u003c/a\u003e\n\u003c/p\u003e\n\n# Secrets Management for Multi-Cloud Environments\n\n**[Pulumi ESC](https://www.pulumi.com/product/esc/?utm_source=github.com\u0026utm_medium=referral\u0026utm_campaign=pulumi+esc+github+repo\u0026utm_content=intro)** is a centralized secrets management \u0026 orchestration service that makes it easy to tame secrets sprawl and configuration complexity securely across all your cloud infrastructure and applications. You can pull and sync secrets with any secrets store – including HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, 1Password, and more – and consume secrets in any application, tool, or CI/CD platform.\n\nPulumi ESC simplifies the adoption of dynamic, on-demand secrets as a best practice. It leverages Pulumi Cloud identity, RBAC, Teams, SAML/SCIM, OIDC, and scoped access tokens used for Pulumi IaC to ensure secrets management complies with enterprise security policies. Every time secrets or configuration values are accessed or changed with Pulumi ESC, the action is fully logged for auditing. So you can trust (and prove) your secrets are secure. Pulumi ESC makes it easy to eliminate the need for developers to copy and paste secrets and store them in plaintext on their computers. Developers can easily access secrets via CLI, API, Kubernetes operator, the Pulumi Cloud UI, and in-code with Typescript/Javascript, Python, and Go SDKs.\n\nBe sure to check out the **[Pulumi ESC explainer video](https://www.youtube.com/watch?v=JY3Cm1UUIYE)**.\n\n## Table of contents\n\n- :clapper: [Demo](#pulumi-esc-demo)\n- :rocket: [Getting Started](#getting-started-with-pulumi-esc)\n- :blue_book: [Documentation](https://pulumi.com/docs/pulumi-cloud/esc)\n- :hammer_and_wrench: [How It Works](#how-pulumi-esc-works)\n- :white_check_mark: [Features](#pulumi-esc-features)\n- :compass:\t[Roadmap](#resources)\n- :busts_in_silhouette: [Community](#resources)\n- :computer: [Resources](#resources)\n\n## Pulumi ESC Demo\n\nPulumi ESC not only works great for your applications and IaC, including Pulumi IaC, but it also makes your day-to-day developer workflow much more secure and streamlined. For example, the Pulumi ESC CLI (esc) allows you to give your developers immediate, just-in-time authenticated, and short-lived access to cloud credentials across any cloud provider with just a single command: `esc run aws-staging -- aws s3 ls`.\n\nIn this example, an ESC environment named aws-staging has all the necessary staging environment configuration and OIDC setup to connect to AWS. Running this command opens up a temporary environment and executes the aws s3 ls command in that environment. The temporary AWS credentials are not stored anywhere, making them secure and also allowing you to switch between different environments dynamically.\n\n![Pulumi's open source secrets management solution overview](./assets/esc.gif)\n\nPulumi ESC is also offered as a managed service as part of [Pulumi Cloud,](https://www.pulumi.com/product/pulumi-cloud/?utm_campaign=pulumi-esc-github-repo\u0026utm_source=github.com) and this repo contains the implementation of the following key components of the ESC open source secrets and configuration management solution:\n\n1. The `esc` CLI:  A CLI tool for managing and consuming environments, secrets and configuration using Pulumi ESC.\n2. The Pulumi ESC evaluator:  The core specification and implementation of the document format for defining environments, and the syntax and semantics for evaluating environments to produce a set of configuration and secrets.\n\n\u003cdiv\u003e\n\u003ca href=\"https://www.pulumi.com/docs/esc/get-started/?utm_campaign=pulumi-esc-github-repo\u0026utm_source=github.com\u0026utm_medium=get-started-button\" title=\"Get Started\"\u003e\n    \u003cimg src=\"https://www.pulumi.com/images/get-started.svg?\" align=\"center\" width=\"120\" alt=\"Click here to get started with Pulumi's open source secrets manager ESC\"\u003e\n\u003c/a\u003e\n\u003c/div\u003e\n\n## Getting Started with Pulumi ESC\n\nFor a hands-on, self-paced tutorial see our Pulumi ESC [Getting Started](https://pulumi.com/docs/pulumi-cloud/esc/get-started?utm_campaign=pulumi-esc-github-repo\u0026utm_source=github.com\u0026utm_medium=getting-started-install) to quickly get up and running.\n\n### Download and Install Pulumi ESC\n\n1. **Install**:\n\n    To install the latest Pulumi ESC release, run the following (see full\n    [installation instructions](https://www.pulumi.com/docs/install/esc/?utm_campaign=pulumi-esc-github-repo\u0026utm_source=github.com\u0026utm_medium=getting-started-install) for additional installation options):\n\n    ```bash\n    $ curl -fsSL https://get.pulumi.com/esc/install.sh | sh\n    ```\n\n### Building the ESC CLI Locally\n\nYou can build the CLI locally for testing by cloning this repo and running:\n\n```shell\n$ make install\n```\n\nThis will produce an `esc` binary in your `GOBIN` directory.\n\n## How Pulumi ESC Works\n\n![Pulumi ESC: Open source secrets management overview](./assets/overview.png)\n\n1. Pulumi ESC enables you to define environments, which are collections of secrets and configuration. Each environment can be composed from multiple environments.\n2. Pulumi ESC supports a variety of configuration and secrets sources, and it has an extensible plugin model that allows third-party sources.\n3. Pulumi ESC has a rich API that allows for easy integration.  Every value in an environment can be accessed from any execution environment.\n4. Every environment can be locked down with RBAC, versioned, and audited.\n\n### Why Pulumi ESC?\n\nPulumi ESC was designed to address a set of challenges that many infrastructure and application development teams face in managing configuration and secrets across their various environments:\n\n* __Stop secret sprawl__: Pull and sync secrets and configuration with any secrets store – HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, 1Password, and more – and consume in any application, tool, or CI/CD platform.\n* __Trust (and prove) your secrets are secure__: Adopt dynamic, short-lived secrets on demand as a best practice. Lock down every environment with RBAC, versioning, and a full audit log of all changes.\n* __Ditch `.env` files__: No more copying-and-pasting secrets or storing them in plaintext on dev computers. Developers can easily access secrets via CLI, API, Kubernetes operator, the Pulumi Cloud UI, and SDKs.\n* __Use with or without Pulumi IaC__: Use Pulumi ESC independently, or use with Pulumi IaC to support storing secrets in config in a more secure way than using plaintext.\n\nPulumi ESC was born to address these problems and needs head on with the following features.\n\n### Pulumi ESC Features\n\n* __Centralized secrets management__: Access, share, and manage confidential information such as secrets, passwords, and API keys as well as configuration information such as network settings and deployment options.\n* __Secrets orchestration__: Pull and sync configuration and secrets from any secrets store and consume in any application, tool, or CI/CD platform.\n* __Composable environments__: Environments support importing one into another, allowing for easy composability and inheritance of shared secrets and configuration.\n* __Versionable__: Every change to an environment as well as any of its secrets and configuration is versioned, so rolling back or accessing an old version is easy.\n* __Role-based access control (RBAC)__: Role-based access controls (RBAC) makes it easy to secure your secrets and configurations by assigning permissions to users based on their role within your organization.\n* __Dynamic Secrets__: Generate just-in-time, short-lived credentials that revoke access when the lease expires.\n* __Audit Logging__: All actions taken on environments, secrets, or configuration values are fully logged for auditing.\n* __Developer-friendly__: Developers can easily access secrets via CLI, API, Kubernetes operator, the Pulumi Cloud UI, and in-code with Typescript/Javascript, Python, and Go SDKs.\n\n## Pulumi ESC Roadmap\n\nReview the planned work for the upcoming quarter and a selected backlog of issues that are on our mind but not yet scheduled on the [Pulumi Roadmap.](https://github.com/orgs/pulumi/projects/44)\n\n## Community\n\n- Join us in the [Pulumi Community Slack](https://slack.pulumi.com/?utm_campaign=pulumi-esc-github-repo\u0026utm_source=github.com\u0026utm_medium=welcome-slack) to connect with our community and engineering team and ask questions. All conversations and questions are welcome.\n- Send us a tweet via [@PulumiCorp](https://twitter.com/PulumiCorp)\n- Watch videos and workshops on [Pulumi TV](https://www.youtube.com/pulumitv)\n\n## Resources\n\n- [Docs](https://pulumi.com/docs/pulumi-cloud/esc?utm_campaign=pulumi-esc-github-repo\u0026utm_source=github.com\u0026utm_medium=esc-resources)\n- [Slack](https://slack.pulumi.com/?utm_campaign=pulumi-esc-github-repo\u0026utm_source=github.com\u0026utm_medium=welcome-slack)\n- [Twitter](https://twitter.com/PulumiCorp)\n- [YouTube](https://www.youtube.com/pulumitv)\n- [Blog](https://pulumi.com/blog?utm_campaign=pulumi-esc-github-repo\u0026utm_source=github.com\u0026utm_medium=esc-resources)\n- [Roadmap](https://github.com/orgs/pulumi/projects/44)\n","funding_links":[],"categories":["Go"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpulumi%2Fesc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpulumi%2Fesc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpulumi%2Fesc/lists"}