diff --git a/content/blog/esc-kubernetes-cluster-and-app/index.md b/content/blog/esc-kubernetes-cluster-and-app/index.md index cb1bc74c188d..fb941b2cd47f 100644 --- a/content/blog/esc-kubernetes-cluster-and-app/index.md +++ b/content/blog/esc-kubernetes-cluster-and-app/index.md @@ -162,7 +162,7 @@ values: aws:region: us-west-2 ``` -Notice that this environment uses the `aws-login` ESC provider to [dynamically load short-lived credentials using OIDC](/docs/pulumi-cloud/oidc/provider/aws/). +Notice that this environment uses the `aws-login` ESC provider to [dynamically load short-lived credentials using OIDC](/docs/esc/environments/configuring-oidc/aws/). These credentials are then exposed as environment variables for consumers of this environment. We also set the AWS region in the `pulumiConfig` section to configure the region for `pulumi` to manage resources with the `pulumi-aws` provider. diff --git a/content/blog/esc-table-editor-provider-config-support/index.md b/content/blog/esc-table-editor-provider-config-support/index.md index 0068f68d1e09..2d8b0248f538 100644 --- a/content/blog/esc-table-editor-provider-config-support/index.md +++ b/content/blog/esc-table-editor-provider-config-support/index.md @@ -31,7 +31,7 @@ In our initial launch, the Table Editor allowed you to perform CRUD operations o ## Enhancing the Table Editor: Provider Configuration Support -With the addition of provider configuration support in the Table view, incorporating Pulumi ESC provider capabilities into your workflow is now more straightforward. A clean, user-friendly form provides step-by-step guidance, promoting best practices like [OIDC](/docs/pulumi-cloud/oidc/) adoption and the secure handling of sensitive data. This streamlined approach reduces the need for external documentation, making the entire process more intuitive and efficient. +With the addition of provider configuration support in the Table view, incorporating Pulumi ESC provider capabilities into your workflow is now more straightforward. A clean, user-friendly form provides step-by-step guidance, promoting best practices like [OIDC](/docs/esc/environments/configuring-oidc) adoption and the secure handling of sensitive data. This streamlined approach reduces the need for external documentation, making the entire process more intuitive and efficient. ![Table view](esc-table-editor-provider-config.png) diff --git a/content/blog/pulumi-release-notes-103/index.md b/content/blog/pulumi-release-notes-103/index.md index d677a3cfe935..2de54e203af8 100644 --- a/content/blog/pulumi-release-notes-103/index.md +++ b/content/blog/pulumi-release-notes-103/index.md @@ -56,7 +56,7 @@ We've upgraded the Pulumi ESC YAML editor with features aimed at simplifying the ### Pulumi ESC OIDC customization -Pulumi ESC now offers [subject customization](/docs/pulumi-cloud/oidc/provider/azure/#subject-customization) for OIDC tokens, enhancing security across AWS, GCP and Azure by aligning federated credentials with specific identifiers. By configuring the `subjectAttributes` setting, users can include specific environment, user, and organization information in the [OIDC](/docs/pulumi-cloud/oidc/) token subject claim, offering more granular control and customization for cloud resource access. This capability is especially valuable for customers using Azure, where subject claims are required to precisely match the string specified in the policy. +Pulumi ESC now offers [subject customization](/docs/esc/environments/configuring-oidc/azure/#subject-customization) for OIDC tokens, enhancing security across AWS, GCP and Azure by aligning federated credentials with specific identifiers. By configuring the `subjectAttributes` setting, users can include specific environment, user, and organization information in the [OIDC](/docs/esc/environments/configuring-oidc) token subject claim, offering more granular control and customization for cloud resource access. This capability is especially valuable for customers using Azure, where subject claims are required to precisely match the string specified in the policy. ### Pulumi ESC Audit Logs diff --git a/content/blog/pulumi-release-notes-99/index.md b/content/blog/pulumi-release-notes-99/index.md index 7d393c35f8c5..0e9d9fc24e16 100644 --- a/content/blog/pulumi-release-notes-99/index.md +++ b/content/blog/pulumi-release-notes-99/index.md @@ -60,7 +60,7 @@ Pulumi AI can now write Pulumi programs for all 150 cloud providers in the [Pulu ### Pulumi ESC Preview -[Pulumi Environment, Secrets and Configuration (ESC)](/docs/esc/) is our answer to the growing needs of our customers to manage secret sprawl and streamline config management. Pulumi ESC allows teams to store and aggregate secrets and configuration from various sources into a composable collection called an environment. You can dynamically generate [OIDC credentials](/docs/pulumi-cloud/oidc/provider/aws/#pulumi-esc-1) from all three major cloud providers (AWS, Azure and GCP), and integrate with other [secrets managers](/docs/esc/get-started/retrieve-external-secrets/) like AWS Secrets Manager, Hashicorp Vault, Azure Vault and GCP Secret manager to pull secrets during runtime. Its hierarchical structure simplifies the composition and reuse of configurations, ensuring secure, auditable management and robust access control. With Pulumi ESC, the trend is clear: organizations are choosing its comprehensive approach for managing secrets and configurations, and they are here to stay. [Get started](/docs/esc/get-started/) with Pulumi ESC +[Pulumi Environment, Secrets and Configuration (ESC)](/docs/esc/) is our answer to the growing needs of our customers to manage secret sprawl and streamline config management. Pulumi ESC allows teams to store and aggregate secrets and configuration from various sources into a composable collection called an environment. You can dynamically generate [OIDC credentials](/docs/esc/environments/configuring-oidc) from all three major cloud providers (AWS, Azure and GCP), and integrate with other [secrets managers](/docs/esc/get-started/retrieve-external-secrets/) like AWS Secrets Manager, Hashicorp Vault, Azure Vault and GCP Secret manager to pull secrets during runtime. Its hierarchical structure simplifies the composition and reuse of configurations, ensuring secure, auditable management and robust access control. With Pulumi ESC, the trend is clear: organizations are choosing its comprehensive approach for managing secrets and configurations, and they are here to stay. [Get started](/docs/esc/get-started/) with Pulumi ESC ![Pulumi ESC Growth](pulumi-esc-growth.png) diff --git a/content/docs/esc/concepts/how-esc-works.md b/content/docs/esc/concepts/how-esc-works.md index 6e7ada943542..a92736b0fa13 100644 --- a/content/docs/esc/concepts/how-esc-works.md +++ b/content/docs/esc/concepts/how-esc-works.md @@ -37,7 +37,7 @@ Pulumi ESC integrates with many popular cloud login providers and secrets manage * [HashiCorp Vault OIDC](/docs/esc/integrations/dynamic-login-credentials/vault-login/) and [Vault Secrets](/docs/esc/integrations/dynamic-secrets/vault-secrets/) * [1Password](/docs/esc/integrations/dynamic-secrets/1password-secrets/), [Kubernetes](/docs/esc/integrations/kubernetes/), among others. -Teams can setup [OpenID Connect integration](/docs/pulumi-cloud/oidc/) in their cloud providers to allow ESC environments to pull short-lived credentials via **OIDC** for secure, time-limited access to secrets. These credentials can then be used in both [Pulumi IaC](/docs/pulumi-cloud/esc/environments/#using-with-pulumi-iac) workflows and [external CLIs](/docs/pulumi-cloud/esc/environments/#running-third-party-commands-using-pulumi-esc-secrets-and-config) like `aws`, `kubectl`, etc. +Teams can setup [OpenID Connect integration](/docs/esc/environments/configuring-oidc/) in their cloud providers to allow ESC environments to pull short-lived credentials via **OIDC** for secure, time-limited access to secrets. These credentials can then be used in both [Pulumi IaC](/docs/pulumi-cloud/esc/environments/#using-with-pulumi-iac) workflows and [external CLIs](/docs/pulumi-cloud/esc/environments/#running-third-party-commands-using-pulumi-esc-secrets-and-config) like `aws`, `kubectl`, etc. ## The ESC data model diff --git a/content/docs/esc/environments/configuring-oidc/gcp.md b/content/docs/esc/environments/configuring-oidc/gcp.md index eda9206320a5..0ed2a4585113 100644 --- a/content/docs/esc/environments/configuring-oidc/gcp.md +++ b/content/docs/esc/environments/configuring-oidc/gcp.md @@ -38,7 +38,7 @@ Please note that this guide provides step-by-step instructions based on the offi ## Configure a Service Account -Once you have created your workload identity pool and provider, you will be directed to the pool details page. If you already have an appropriate service account created, skip ahead to the steps found in the [Grant access to the service account](/docs/pulumi-cloud/oidc/provider/gcp/#grant-access-to-the-service-account) section. Otherwise, continue through the steps below to create a new one. +Once you have created your workload identity pool and provider, you will be directed to the pool details page. If you already have an appropriate service account created, skip ahead to the steps found in the [Grant access to the service account](#grant-access-to-the-service-account) section. Otherwise, continue through the steps below to create a new one. ### Create a new service account diff --git a/content/docs/esc/get-started/begin.md b/content/docs/esc/get-started/begin.md index acb49679f211..75d1132f3b64 100644 --- a/content/docs/esc/get-started/begin.md +++ b/content/docs/esc/get-started/begin.md @@ -80,11 +80,11 @@ Logged in to https://api.pulumi.com/ as your-pulumi-org (https://app.pulumi.com/ ### [Optional] Configure OpenID Connect (OIDC) -Pulumi supports [OpenID Connect (OIDC) integration](/docs/pulumi-cloud/oidc/) across various services including Pulumi ESC. OIDC enables secure interactions between Pulumi and cloud providers by leveraging signed, short-lived tokens issued by the Pulumi Cloud. Use one of the following guides below to configure OIDC between Pulumi ESC and your chosen cloud provider: +Pulumi supports [OpenID Connect (OIDC) integration](/docs/esc/environments/configuring-oidc) across various services including Pulumi ESC. OIDC enables secure interactions between Pulumi and cloud providers by leveraging signed, short-lived tokens issued by the Pulumi Cloud. Use one of the following guides below to configure OIDC between Pulumi ESC and your chosen cloud provider: -- [OIDC Configuration for AWS](/docs/pulumi-cloud/oidc/provider/aws/) -- [OIDC Configuration for Azure](/docs/pulumi-cloud/oidc/provider/azure/) -- [OIDC Configuration for Google Cloud](/docs/pulumi-cloud/oidc/provider/gcp/) +- [OIDC Configuration for AWS](/docs/esc/environments/configuring-oidc/aws/) +- [OIDC Configuration for Azure](/docs/esc/environments/configuring-oidc/azure/) +- [OIDC Configuration for Google Cloud](/docs/esc/environments/configuring-oidc/gcp/) This is an optional step that is not required to get started with Pulumi ESC. There are some steps in this series that will require OIDC configuration to complete, but that will be indicated on the relevant pages. diff --git a/content/docs/esc/get-started/retrieve-external-secrets.md b/content/docs/esc/get-started/retrieve-external-secrets.md index 8de71d96e67a..fe502b315192 100644 --- a/content/docs/esc/get-started/retrieve-external-secrets.md +++ b/content/docs/esc/get-started/retrieve-external-secrets.md @@ -127,7 +127,7 @@ To retrieve secret values from Azure Key Vault, you must first: - [create an Azure Key Vault](https://learn.microsoft.com/en-us/azure/key-vault/general/quick-create-portal) - add a Key Vault role assignment - - On your Key Vault's service page, follow steps 3 - 8 in the [Azure OIDC guide](/docs/pulumi-cloud/oidc/provider/azure/#create-a-service-principal), making sure to select the "Key Vault Secrets Officer" role under the **Job functions role** tab + - On your Key Vault's service page, follow steps 3 - 8 in the [Azure OIDC guide](/docs/esc/environments/configuring-oidc/azure#create-a-service-principal), making sure to select the "Key Vault Secrets Officer" role under the **Job functions role** tab - [create an Azure Key Vault secret](https://learn.microsoft.com/en-us/azure/key-vault/secrets/quick-create-portal) Once that is complete, you will need to update your environment definition to add the [`azure-secrets` provider](/docs/esc/integrations/dynamic-secrets/azure-secrets/) configuration. To do this, add the following configuration to your environment definition, making sure to: diff --git a/content/docs/esc/get-started/use-short-term-credentials.md b/content/docs/esc/get-started/use-short-term-credentials.md index dd4996593b9e..7a7d68983468 100644 --- a/content/docs/esc/get-started/use-short-term-credentials.md +++ b/content/docs/esc/get-started/use-short-term-credentials.md @@ -138,10 +138,10 @@ ESC dynamic credentials and the `esc run` command can be used for various scenar See the following guides to set up OIDC between Pulumi ESC and your specific cloud provider: -- [Configuring OIDC for AWS](/docs/pulumi-cloud/oidc/provider/aws/) -- [Configuring OIDC for Azure](/docs/pulumi-cloud/oidc/provider/azure/) -- [Configuring OIDC for Google Cloud](/docs/pulumi-cloud/oidc/provider/gcp/) -- [Configuring OIDC for Vault](/docs/pulumi-cloud/oidc/provider/vault/) +- [Configuring OIDC for AWS](/docs/esc/environments/configuring-oidc/aws/) +- [Configuring OIDC for Azure](/docs/esc/environments/configuring-oidc/azure/) +- [Configuring OIDC for Google Cloud](/docs/esc/environments/configuring-oidc/gcp/) +- [Configuring OIDC for Vault](/docs/esc/environments/configuring-oidc/vault/) In the next section, you will learn how to retrieve secret values from external sources. diff --git a/content/docs/esc/integrations/dynamic-login-credentials/aws-login.md b/content/docs/esc/integrations/dynamic-login-credentials/aws-login.md index 4bd19eb96610..aad9805d12f2 100644 --- a/content/docs/esc/integrations/dynamic-login-credentials/aws-login.md +++ b/content/docs/esc/integrations/dynamic-login-credentials/aws-login.md @@ -35,7 +35,7 @@ values: ## Configuring OIDC -To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and AWS, see the [OpenID Connect integration](/docs/pulumi-cloud/oidc/provider/aws/) documentation. +To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and AWS, see the [OpenID Connect integration](/docs/esc/environments/configuring-oidc/aws/) documentation. ## Inputs diff --git a/content/docs/esc/integrations/dynamic-secrets/_index.md b/content/docs/esc/integrations/dynamic-secrets/_index.md index 726a9a397a14..305b1a4c0aad 100644 --- a/content/docs/esc/integrations/dynamic-secrets/_index.md +++ b/content/docs/esc/integrations/dynamic-secrets/_index.md @@ -13,7 +13,7 @@ menu: Pulumi ESC providers enable you to dynamically import secrets and configuration from the provider into your environment. -To learn how to set up and use each provider, follow the links below. To learn how to configure OpenID Connect (OIDC) for the providers that support it, see [OpenID Connect integration](/docs/pulumi-cloud/oidc/) in the Pulumi Cloud documentation. +To learn how to set up and use each provider, follow the links below. To learn how to configure OpenID Connect (OIDC) for the providers that support it, see [OpenID Connect integration](/docs/esc/environments/configuring-oidc) in the Pulumi ESC documentation. | Provider | Description | |------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------| diff --git a/content/docs/esc/integrations/dynamic-secrets/aws-parameter-store.md b/content/docs/esc/integrations/dynamic-secrets/aws-parameter-store.md index 22431567d50b..c250b1afd26c 100644 --- a/content/docs/esc/integrations/dynamic-secrets/aws-parameter-store.md +++ b/content/docs/esc/integrations/dynamic-secrets/aws-parameter-store.md @@ -45,7 +45,7 @@ values: ## Configuring OIDC -To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and AWS, see the [OpenID Connect integration](/docs/pulumi-cloud/oidc/provider/aws/) documentation. Once you have completed these steps, you can validate that your configuration is working by running either of the following: +To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and AWS, see the [OpenID Connect integration](/docs/esc/environments/configuring-oidc/aws/) documentation. Once you have completed these steps, you can validate that your configuration is working by running either of the following: * `esc open //` command of the [Pulumi ESC CLI](/docs/esc-cli/) * `pulumi env open //` command of the [Pulumi CLI](/docs/install/) diff --git a/content/docs/esc/integrations/dynamic-secrets/aws-secrets.md b/content/docs/esc/integrations/dynamic-secrets/aws-secrets.md index fba0c5e281cd..ade8a35c7768 100644 --- a/content/docs/esc/integrations/dynamic-secrets/aws-secrets.md +++ b/content/docs/esc/integrations/dynamic-secrets/aws-secrets.md @@ -68,7 +68,7 @@ values: ## Configuring OIDC -To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and AWS, see [Configuring OpenID Connect for AWS](/docs/pulumi-cloud/oidc/provider/aws/). Once you have completed these steps, you can validate that your configuration is working by running either of the following: +To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and AWS, see [Configuring OpenID Connect for AWS](/docs/esc/environments/configuring-oidc/aws/). Once you have completed these steps, you can validate that your configuration is working by running either of the following: * `esc open //` command of the [Pulumi ESC CLI](/docs/esc-cli/) * `pulumi env open //` command of the [Pulumi CLI](/docs/install/) diff --git a/content/docs/esc/integrations/dynamic-secrets/azure-secrets.md b/content/docs/esc/integrations/dynamic-secrets/azure-secrets.md index 1b05a4759386..a8636ce2a29a 100644 --- a/content/docs/esc/integrations/dynamic-secrets/azure-secrets.md +++ b/content/docs/esc/integrations/dynamic-secrets/azure-secrets.md @@ -39,7 +39,7 @@ values: ## Configuring OIDC -To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and Azure, see the [OpenID Connect integration](/docs/pulumi-cloud/oidc/provider/azure/) documentation. Once you have completed these steps, you can validate that your configuration is working by running either of the following: +To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and Azure, see the [OpenID Connect integration](/docs/esc/environments/configuring-oidc/azure/) documentation. Once you have completed these steps, you can validate that your configuration is working by running either of the following: * `esc open //` command of the [Pulumi ESC CLI](/docs/esc-cli/) * `pulumi env open //` command of the [Pulumi CLI](/docs/install/) diff --git a/content/docs/esc/integrations/dynamic-secrets/gcp-secrets.md b/content/docs/esc/integrations/dynamic-secrets/gcp-secrets.md index 464c7f135405..8c84eec8faa8 100644 --- a/content/docs/esc/integrations/dynamic-secrets/gcp-secrets.md +++ b/content/docs/esc/integrations/dynamic-secrets/gcp-secrets.md @@ -40,7 +40,7 @@ values: ## Configuring OIDC -To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and Google Cloud, see the [OpenID Connect integration](/docs/pulumi-cloud/oidc/provider/gcp/) documentation. Once you have completed these steps, you can validate that your configuration is working by running either of the following: +To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and Google Cloud, see the [OpenID Connect integration](/docs/esc/environments/configuring-oidc/gcp/) documentation. Once you have completed these steps, you can validate that your configuration is working by running either of the following: * `esc open //` command of the [Pulumi ESC CLI](/docs/esc-cli/) * `pulumi env open //` command of the [Pulumi CLI](/docs/install/) diff --git a/content/docs/esc/integrations/rotated-secrets/_index.md b/content/docs/esc/integrations/rotated-secrets/_index.md index 14c262ef3388..54f85b8c5cd7 100644 --- a/content/docs/esc/integrations/rotated-secrets/_index.md +++ b/content/docs/esc/integrations/rotated-secrets/_index.md @@ -13,7 +13,7 @@ menu: Pulumi ESC Rotators are ESC functions that enable you to rotate various credentials both automatically and manually for a number of supported services. Rotated credentials are stored in your ESC Environments, allowing you to easily and securely use them from anywhere. Some of the rotators require you to deploy [Rotation Connectors](/docs/esc/environments/rotation/#rotation-connectors) in order to rotate credentials inside private networks. -To learn how to set up and use each rotator, follow the links below. All rotators use [login providers](/docs/esc/integrations/dynamic-login-credentials/) for authorization, with the most secure way being OpenID Connect (OIDC) login providers. Learn more about how to configure them in [OpenID Connect](/docs/pulumi-cloud/oidc/) Pulumi Cloud documentation. +To learn how to set up and use each rotator, follow the links below. All rotators use [login providers](/docs/esc/integrations/dynamic-login-credentials/) for authorization, with the most secure way being OpenID Connect (OIDC) login providers. Learn more about how to configure them in [OpenID Connect](/docs/esc/environments/configuring-oidc) Pulumi Cloud documentation. | Rotator | Required connector | Description | |--------------------------------------------------------------------------|----------------------------------------|--------------------------------------------------------------------------------------------------------------------| diff --git a/content/docs/esc/integrations/rotated-secrets/aws-iam.md b/content/docs/esc/integrations/rotated-secrets/aws-iam.md index 085ef3f2e464..77fa664e04ac 100644 --- a/content/docs/esc/integrations/rotated-secrets/aws-iam.md +++ b/content/docs/esc/integrations/rotated-secrets/aws-iam.md @@ -63,7 +63,7 @@ values: ## Configuring OIDC -To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and AWS, see the [OpenID Connect integration](/docs/pulumi-cloud/oidc/provider/aws/) documentation. Once you have completed these steps, you can validate that your configuration is working by running either of the following: +To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and AWS, see the [OpenID Connect integration](/docs/esc/environments/configuring-oidc/aws/) documentation. Once you have completed these steps, you can validate that your configuration is working by running either of the following: * `esc open //` command of the [Pulumi ESC CLI](/docs/esc-cli/) * `pulumi env open //` command of the [Pulumi CLI](/docs/install/) diff --git a/content/docs/esc/reference/rotators.md b/content/docs/esc/reference/rotators.md index c5122906b6ed..60df9f2ffbb0 100644 --- a/content/docs/esc/reference/rotators.md +++ b/content/docs/esc/reference/rotators.md @@ -12,7 +12,7 @@ menu: Pulumi ESC Rotators are ESC functions that enable you to rotate various credentials both automatically and manually for a number of supported services. Rotated credentials are stored in your ESC Environments, allowing you to easily and securely use them from anywhere. Some of the rotators require you to deploy [Rotation Connectors](/docs/esc/environment/rotation/aws-lambda) in order to rotate credentials inside private networks. -To learn how to set up and use each rotator, follow the links below. All rotators use [login providers](/docs/esc/integrations/dynamic-login-credentials/) for authorization, with the most secure way being OpenID Connect (OIDC) login providers. Learn more about how to configure them in [OpenID Connect](/docs/pulumi-cloud/oidc/) Pulumi Cloud documentation. +To learn how to set up and use each rotator, follow the links below. All rotators use [login providers](/docs/esc/integrations/dynamic-login-credentials/) for authorization, with the most secure way being OpenID Connect (OIDC) login providers. Learn more about how to configure them in [OpenID Connect](/docs/esc/environments/configuring-oidc) Pulumi Cloud documentation. | Rotator | Required connector | Description | |--------------------------------------------------------------------------|----------------------------------------|--------------------------------------------------------------------------------------------------------------------| diff --git a/content/docs/pulumi-cloud/access-management/_index.md b/content/docs/pulumi-cloud/access-management/_index.md index 7e914b9fc5fe..be982a90b93d 100644 --- a/content/docs/pulumi-cloud/access-management/_index.md +++ b/content/docs/pulumi-cloud/access-management/_index.md @@ -27,7 +27,7 @@ Pulumi Cloud offers a number of identity and access management controls. - [Stack permissions](stack-permissions/) - [Access tokens](access-tokens/) - [Environment permissions](environment-permissions/) -- [OpenID](oidc/) +- [OpenID Client](oidc-client/) - [Billing managers](billing-managers/) - [SAML single sign-on (SSO)](saml/) - [SCIM](scim/) diff --git a/content/docs/pulumi-cloud/access-management/oidc/client/_index.md b/content/docs/pulumi-cloud/access-management/oidc-client/_index.md similarity index 97% rename from content/docs/pulumi-cloud/access-management/oidc/client/_index.md rename to content/docs/pulumi-cloud/access-management/oidc-client/_index.md index ed84ee40d319..97ea80ec4e55 100644 --- a/content/docs/pulumi-cloud/access-management/oidc/client/_index.md +++ b/content/docs/pulumi-cloud/access-management/oidc-client/_index.md @@ -8,11 +8,14 @@ meta_image: /images/docs/meta-images/docs-meta.png menu: cloud: name: OpenID client - parent: pulumi-cloud-access-management-oidc - weight: 1 + parent: pulumi-cloud-access-management + weight: 4 identifier: pulumi-cloud-access-management-oidc-client aliases: - /docs/pulumi-cloud/oidc/client/ +- /docs/pulumi-cloud/oidc/ +- /docs/pulumi-cloud/access-management/oidc/client/ +- /docs/pulumi-cloud/access-management/oidc/ --- Pulumi supports establishing trust relationships with third party OIDC providers by leveraging id_tokens and allowing it to be exchanged for a short-lived Pulumi access token. This mechanism enhances security by eliminating the necessity for hardcoded credentials. diff --git a/content/docs/pulumi-cloud/access-management/oidc/client/eks-policy.png b/content/docs/pulumi-cloud/access-management/oidc-client/eks-policy.png similarity index 100% rename from content/docs/pulumi-cloud/access-management/oidc/client/eks-policy.png rename to content/docs/pulumi-cloud/access-management/oidc-client/eks-policy.png diff --git a/content/docs/pulumi-cloud/access-management/oidc/client/github-policies.png b/content/docs/pulumi-cloud/access-management/oidc-client/github-policies.png similarity index 100% rename from content/docs/pulumi-cloud/access-management/oidc/client/github-policies.png rename to content/docs/pulumi-cloud/access-management/oidc-client/github-policies.png diff --git a/content/docs/pulumi-cloud/access-management/oidc/client/github.md b/content/docs/pulumi-cloud/access-management/oidc-client/github.md similarity index 100% rename from content/docs/pulumi-cloud/access-management/oidc/client/github.md rename to content/docs/pulumi-cloud/access-management/oidc-client/github.md diff --git a/content/docs/pulumi-cloud/access-management/oidc/client/gke-policy.png b/content/docs/pulumi-cloud/access-management/oidc-client/gke-policy.png similarity index 100% rename from content/docs/pulumi-cloud/access-management/oidc/client/gke-policy.png rename to content/docs/pulumi-cloud/access-management/oidc-client/gke-policy.png diff --git a/content/docs/pulumi-cloud/access-management/oidc/client/kubernetes-eks.md b/content/docs/pulumi-cloud/access-management/oidc-client/kubernetes-eks.md similarity index 100% rename from content/docs/pulumi-cloud/access-management/oidc/client/kubernetes-eks.md rename to content/docs/pulumi-cloud/access-management/oidc-client/kubernetes-eks.md diff --git a/content/docs/pulumi-cloud/access-management/oidc/client/kubernetes-gke.md b/content/docs/pulumi-cloud/access-management/oidc-client/kubernetes-gke.md similarity index 100% rename from content/docs/pulumi-cloud/access-management/oidc/client/kubernetes-gke.md rename to content/docs/pulumi-cloud/access-management/oidc-client/kubernetes-gke.md diff --git a/content/docs/pulumi-cloud/access-management/oidc/client/kubernetes-policy.png b/content/docs/pulumi-cloud/access-management/oidc-client/kubernetes-policy.png similarity index 100% rename from content/docs/pulumi-cloud/access-management/oidc/client/kubernetes-policy.png rename to content/docs/pulumi-cloud/access-management/oidc-client/kubernetes-policy.png diff --git a/content/docs/pulumi-cloud/access-management/oidc/client/register-eks.png b/content/docs/pulumi-cloud/access-management/oidc-client/register-eks.png similarity index 100% rename from content/docs/pulumi-cloud/access-management/oidc/client/register-eks.png rename to content/docs/pulumi-cloud/access-management/oidc-client/register-eks.png diff --git a/content/docs/pulumi-cloud/access-management/oidc/client/register-github.png b/content/docs/pulumi-cloud/access-management/oidc-client/register-github.png similarity index 100% rename from content/docs/pulumi-cloud/access-management/oidc/client/register-github.png rename to content/docs/pulumi-cloud/access-management/oidc-client/register-github.png diff --git a/content/docs/pulumi-cloud/access-management/oidc/client/register-gke.png b/content/docs/pulumi-cloud/access-management/oidc-client/register-gke.png similarity index 100% rename from content/docs/pulumi-cloud/access-management/oidc/client/register-gke.png rename to content/docs/pulumi-cloud/access-management/oidc-client/register-gke.png diff --git a/content/docs/pulumi-cloud/access-management/oidc/client/register-new-issuer.png b/content/docs/pulumi-cloud/access-management/oidc-client/register-new-issuer.png similarity index 100% rename from content/docs/pulumi-cloud/access-management/oidc/client/register-new-issuer.png rename to content/docs/pulumi-cloud/access-management/oidc-client/register-new-issuer.png diff --git a/content/docs/pulumi-cloud/access-management/oidc/_index.md b/content/docs/pulumi-cloud/access-management/oidc/_index.md deleted file mode 100644 index a6d21c58f554..000000000000 --- a/content/docs/pulumi-cloud/access-management/oidc/_index.md +++ /dev/null @@ -1,29 +0,0 @@ ---- -title_tag: OpenID Connect -meta_desc: This page provides an overview of how Pulumi can integrate with OIDC providers -title: OpenID -h1: OpenID Connect Provider integration -meta_image: /images/docs/meta-images/docs-meta.png -menu: - cloud: - name: OpenID - parent: pulumi-cloud-access-management - weight: 4 - identifier: pulumi-cloud-access-management-oidc -aliases: -- /docs/pulumi-cloud/oidc/ ---- - -Pulumi supports OpenID Connect (OIDC) integration across various services by leveraging signed, short-lived tokens and eliminating the necessity for hardcoded cloud provider credentials and facilitates the exchange of these tokens for short-term credentials. - -## Overview - -There are two ways Pulumi can integrate using OpenID Connect. Pulumi can operate as an [OIDC provider](/docs/pulumi-cloud/oidc/provider/) issuing signed, short-lived tokens that can be exchanged by short-term credentials from your cloud provider; or as an [OIDC client](/docs/pulumi-cloud/oidc/client/) accepting OIDC tokens issued by a trusted OIDC provider to be exchanged for short-lived Pulumi access tokens. - -## Solving the Secret Zero problem - -When teams adopt Pulumi, securely managing authentication is the cornerstone of a strong security posture. One approach is to integrate Pulumi with a cloud or CI/CD provider using a long-term access token, but this introduces the "secret zero" problem and potential security risks. These credentials are often set once and forgotten, making them vulnerable if rotation is needed or if they become compromised. - -The best practice for securing Pulumi and provider authentication is to use OIDC, which replaces static credentials with short-term digitally signed identity tokens issued by the cloud provider. This approach eliminates the need for long-lived secrets by establishing a trust relationship using public-key cryptography. - -An OIDC token represents an application's or workload's identity in a cloud environment—often called a workload identity. It includes claims such as the application's name, which a service provider can use to grant access to resources based on best-practice security policies. diff --git a/content/docs/pulumi-cloud/access-management/oidc/provider/aws.md b/content/docs/pulumi-cloud/access-management/oidc/provider/aws.md deleted file mode 100644 index f32c0189294e..000000000000 --- a/content/docs/pulumi-cloud/access-management/oidc/provider/aws.md +++ /dev/null @@ -1,207 +0,0 @@ ---- -title_tag: Configure OpenID Connect for AWS | OIDC -meta_desc: This page describes how to configure OIDC token exchange in AWS for use with Pulumi Cloud -title: AWS -h1: Configuring OpenID Connect for AWS -meta_image: /images/docs/meta-images/docs-meta.png -menu: - cloud: - name: AWS - parent: pulumi-cloud-access-management-oidc-provider - weight: 1 - identifier: pulumi-cloud-access-management-oidc-provider-aws -aliases: -- /docs/guides/oidc/provider/aws -- /docs/intro/deployments/oidc/provider/aws/ -- /docs/pulumi-cloud/deployments/oidc/provider/aws/ -- /docs/pulumi-cloud/oidc/provider/aws/ -- /docs/pulumi-cloud/oidc/aws/ ---- - -This document outlines the steps required to configure Pulumi to use OpenID Connect to authenticate with AWS. OIDC in AWS uses a web identity provider to assume an IAM role. Access to the IAM role is authorized using a trust policy that validates the contents of the OIDC token issued by the Pulumi Cloud. - -## Create the identity provider - -1. In the navigation pane of the [IAM console](https://console.aws.amazon.com/iam/), choose **Identity providers**, and then choose **Add provider**. - {{< video title="Starting the Create Identity Provider wizard" src="https://www.pulumi.com/uploads/create-idp-start.mp4" autoplay="true" loop="true" >}} -2. In the **Provider type** section, click the radio button next to **OpenID Connect**. -3. For the **Provider URL**, provide the following URL: `https://api.pulumi.com/oidc` -4. For the **Audience** field, the value will differ between Pulumi deployments and ESC. For Deployments the value is only the name of your Pulumi organization. For ESC the value is the name of your Pulumi organization prefixed with `aws:` (e.g. `aws:{org}`). Then click **Add provider**. - {{< notes type="info" >}} - For environments in the `default` project, the audience will use just the Pulumi organization name. This is to prevent regressions for legacy environments. - {{< /notes >}} - -## Configure the IAM role and trust policy - -Once you have created the identity provider, you will see a notification at the top of your screen prompting you to assign an IAM role. - -1. Click the **Assign role** button. -2. Select the **Create a new role** option, then click **Next**. - {{< video title="Prompt for assigning IAM role" src="https://www.pulumi.com/uploads/assign-iam-role-prompt.mp4" autoplay="true" loop="true" >}} -3. On the IAM **Create role** page, ensure the **Web identity** radio button is selected. -4. In the **Web identity** section: - * Select `api.pulumi.com/oidc` under **Identity provider**. - * Select the name of your Pulumi organization (if using ESC, prefixed with `aws:`) under **Audience**. Then click **Next**. - {{< video title="Create IAM role wizard" src="https://www.pulumi.com/uploads/create-role-wizard.mp4" autoplay="true" loop="true" >}} -5. On the **Add permissions** page, select the permissions that you want to grant to your Pulumi service. Then click **Next**. - {{< notes type="info" >}} - For setting up an AWS Pulumi insights account, you can use the role `ReadOnlyAccess` managed by [aws](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ReadOnlyAccess.html). - {{< /notes >}} - {{< video title="Adding S3 permissions to IAM role" src="https://www.pulumi.com/uploads/create-role-add-perms.mp4" autoplay="true" loop="true" >}} -6. Provide a name and optional description for the IAM role. Then click **Create role**. - {{< video title="Adding name and description to role then creating it" src="https://www.pulumi.com/uploads/create-role.mp4" autoplay="true" loop="true" >}} - -Make a note of the IAM role's ARN; it will be necessary to enable OIDC for your service. - -For more granular access control, edit the trust policy of your IAM role with [Token claims](/docs/pulumi-cloud/access-management/oidc/provider/#custom-claims) for each service. The `sub` claim can be customized as shown below. - -### Pulumi Deployments - -In the following example, the role may only be assumed by stacks within the `Core` project of the `contoso` organization: - -```json -"Condition": { - "StringEquals": { - "api.pulumi.com/oidc:aud": "contoso" - }, - "StringLike": { - "api.pulumi.com/oidc:sub": "pulumi:deploy:org:contoso:project:Core:*" - } -} -``` - -### Pulumi ESC - -Consider the following ESC definition for `project/development` environment opened by user `personA`: - -```yaml -values: - aws: - login: - fn::open::aws-login: - oidc: - ... - subjectAttributes: - - currentEnvironment.name - - pulumi.user.login -``` - -The OIDC subject claim for this environment would be `pulumi:environments:pulumi.organization.login:contoso:currentEnvironment.name:project/development:pulumi.user.login:personA`. The role may only be assumed by `project/development` environment and user `personA` within the `contoso` organization: - -```json -"Condition": { - "StringEquals": { - "api.pulumi.com/oidc:aud": "aws:contoso", - "api.pulumi.com/oidc:sub": "pulumi:environments:pulumi.organization.login:contoso:currentEnvironment.name:project/development:pulumi.user.login:personA" - } -} -``` - -The subject always contains the prefix `pulumi:environments:pulumi.organization.login:{ORGANIZATION_NAME}` and every key configured will be appended to this prefix. The list of all possible options for `subjectAttributes` are: - -* `rootEnvironment.name`: the name of the environment that is opened first. This root environment in turn opens other imported environments -* `currentEnvironment.name`: the full name (including the project) of the environment where the ESC login provider and `subjectAttributes` are defined -* `pulumi.user.login`: the login identifier of the user opening the environment -* `pulumi.organization.login`: the login identifier of the organization - -When importing multiple environments into Pulumi IaC Stack Config, each environment is resolved separately. For example, if you import multiple environments into your Pulumi Stack with `rootEnvironment.name` attribute defined in all of them, then each `rootEnvironment.name` will resolve to the environment name where it is defined. - -The default format of the subject claim when `subjectAttributes` are not used is `pulumi:environments:org::env:/` - -{{< notes type="warning" >}} - -For environments within the legacy `default` project, the project will **not** be present in the subject to preserve backwards compatibility. The format of the subject claim when `subjectAttributes` are not set is `pulumi:environments:org::env:`. If `currentEnvironment.name` is used as a custom subject attribute it will resolve to only the environment name (e.g. `pulumi:environments:pulumi.organization.login:contoso:currentEnvironment.name:development:pulumi.user.login:personA`). Due to this it is recommended to move your environments out of the `default` project for best security practices. - -{{< /notes >}} - -{{< notes type="info" >}} - -If you are integrating Pulumi ESC with Pulumi IaC, the default subject identifier of the environment will be `pulumi:environments:org:contoso:env:`. The literal value of `` need to be used and will be the same for all environments. Hence, for best security practices we recommend using `subjectAttributes`. If you want to set environment level or even granular permissions in your trust policy, then we recommend using `subjectAttributes` property. - -{{< /notes >}} - -## Configure OIDC via the Pulumi console - -### Pulumi Deployments - -{{% notes "info" %}} -In addition to the Pulumi Console, deployment settings including OIDC can be configured for a stack using the [pulumiservice.DeploymentSettings](https://www.pulumi.com/registry/packages/pulumiservice/api-docs/deploymentsettings/) resource or via the [REST API](/docs/pulumi-cloud/deployments/api/#patchsettings). -{{% /notes %}} - -1. Navigate to your stack in the Pulumi Console. -2. Open the stack's "Settings" tab. -3. Choose the "Deploy" panel. -4. Under the "OpenID Connect" header, toggle "Enable AWS Integration". -5. Enter the ARN of the IAM role to created above in the "Role ARN" field. -6. Enter a name for the assumed role session in the "Session Name" field. -7. If you would like to use additional policies to further constrain the session's capabilities, enter the policies' ARNs separated by commas in the "Policy ARNs" field. -8. If you would like to constrain the duration of the assumed role session, enter a duration in the form "XhYmZs" in the "Session Duration" field. -9. Click the "Save deployment configuration" button. - -With this configuration, each deployment of this stack will attempt to exchange the deployment's OIDC token for AWS credentials using the specified IAM role prior to running any pre-commands or Pulumi operations. The fetched credentials are published in the `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN` environment variables. The raw OIDC token is also available for advanced scenarios in the `PULUMI_OIDC_TOKEN` environment variable and the `/mnt/pulumi/pulumi.oidc` file. - -### Pulumi ESC - -To configure OIDC for Pulumi ESC, create a new environment in the [Pulumi Console](https://app.pulumi.com/). Make sure that you have the correct organization selected in the left-hand navigation menu. Then: - -1. Click the **Environments** link. -2. Click the **Create environment** button. -3. Provide a project to create your new environment in and a name for your environment. -4. Click the **Create environment** button. - {{< video title="Creating a new Pulumi ESC environment" src="https://www.pulumi.com/uploads/create-new-environment.mp4" autoplay="true" loop="true" >}} -5. You will be presented with a split-pane editor. Delete the default placeholder content in the editor and replace it with the following code: - - ```yaml - values: - aws: - login: - fn::open::aws-login: - oidc: - duration: 1h - roleArn: - sessionName: pulumi-environments-session - subjectAttributes: - - currentEnvironment.name - - pulumi.user.login - environmentVariables: - AWS_ACCESS_KEY_ID: ${aws.login.accessKeyId} - AWS_SECRET_ACCESS_KEY: ${aws.login.secretAccessKey} - AWS_SESSION_TOKEN: ${aws.login.sessionToken} - ``` - -6. Replace `` with the value from the previous steps. -7. Scroll to the bottom of the page and click **Save**. - -{{< video title="Adding configuration to Pulumi ESC environment" src="https://www.pulumi.com/uploads/add-environment-config.mp4" autoplay="true" loop="true" >}} - -You can validate that your configuration is working by running either of the following: - -* `esc open //` command of the [ESC CLI](/docs/esc-cli/) -* `pulumi env open //` command of the [Pulumi CLI](/docs/install/) - -Make sure to replace ``, ``, and `` with the values of your Pulumi organization, project, and environment file respectively. You should see output similar to the following: - -```bash -{ - "aws": { - "login": { - "accessKeyId": "ASIA....", - "secretAccessKey": "rtBS....", - "sessionToken": "Fwo...." - } - }, - "environmentVariables": { - "AWS_ACCESS_KEY_ID": "ASIA....", - "AWS_SECRET_ACCESS_KEY": "rtBS....", - "AWS_SESSION_TOKEN": "Fwo...." - } -} -``` - -To learn more about how to set up and use the various providers in Pulumi ESC, please refer to the [relevant Pulumi documentation](/docs/esc/integrations/) - -## Automate OIDC configuration - -Our [Examples](https://github.com/pulumi/examples) repository provides a wide variety of automations using Pulumi Infrastructure as Code (IaC). If you want to automate the configuration and deployment of OIDC between Pulumi and AWS, take a look at the following examples to help you get started: - -* [Configure OIDC for ESC in Pulumi Python](https://github.com/pulumi/examples/tree/master/aws-py-oidc-provider-pulumi-cloud) diff --git a/content/docs/pulumi-cloud/access-management/oidc/provider/aws/review-trust-policy.png b/content/docs/pulumi-cloud/access-management/oidc/provider/aws/review-trust-policy.png deleted file mode 100644 index 8b138bf83b42..000000000000 Binary files a/content/docs/pulumi-cloud/access-management/oidc/provider/aws/review-trust-policy.png and /dev/null differ diff --git a/content/docs/pulumi-cloud/access-management/oidc/provider/aws/show-trust-policy.png b/content/docs/pulumi-cloud/access-management/oidc/provider/aws/show-trust-policy.png deleted file mode 100644 index 8b138bf83b42..000000000000 Binary files a/content/docs/pulumi-cloud/access-management/oidc/provider/aws/show-trust-policy.png and /dev/null differ diff --git a/content/docs/pulumi-cloud/access-management/oidc/provider/azure.md b/content/docs/pulumi-cloud/access-management/oidc/provider/azure.md deleted file mode 100644 index cfa40de0c2d7..000000000000 --- a/content/docs/pulumi-cloud/access-management/oidc/provider/azure.md +++ /dev/null @@ -1,226 +0,0 @@ ---- -title_tag: Configure OpenID Connect for Azure | OIDC -meta_desc: This page describes how to configure OIDC token exchange in Azure for use with Pulumi -title: Azure -h1: Configuring OpenID Connect for Azure -meta_image: /images/docs/meta-images/docs-meta.png -menu: - cloud: - name: Azure - parent: pulumi-cloud-access-management-oidc-provider - weight: 2 - identifier: pulumi-cloud-access-management-oidc-provider-azure -aliases: -- /docs/guides/oidc/provider/azure -- /docs/intro/deployments/oidc/provider/azure/ -- /docs/pulumi-cloud/deployments/oidc/provider/azure/ -- /docs/pulumi-cloud/oidc/provider/azure/ -- /docs/pulumi-cloud/oidc/azure/ ---- - -This document outlines the steps required to configure Pulumi to use OpenID Connect to authenticate with Azure. OIDC in Azure uses [workload identity federation](https://learn.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation) to access Azure resources via a Microsoft Entra App. Access to the temporary credentials is authorized using federated credentials that validate the contents of the OIDC token issued by the Pulumi Cloud. - -## Prerequisites - -* You must have access in the Azure Portal to create and configure Microsoft Entra App registrations. - -{{< notes type="warning" >}} -Please note that this guide provides step-by-step instructions based on the official provider documentation which is subject to change. For the most current and precise information, always refer to the [official Azure documentation](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal). -{{< /notes >}} - -## Create a Microsoft Entra application - -In the navigation pane of the [Microsoft Entra console](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview): - -1. Select **App registrations** and then click **New registration**. -2. Provide a name for your application (ex: `pulumi-esc-oidc-app`). -3. In the **Supported account types** section, select **Accounts in this organizational directory only**. -4. Click **Register**. - -After the Microsoft Entra application has been created, take note of the following details: - -* Subscription ID -* Application (client) ID -* Directory (tenant) ID - -These values will be necessary when enabling OIDC for your service. - -## Add federated credentials - -Once you have created your new application registration, you will be redirected to the application's **Overview** page. In the left navigation menu: - -1. Navigate to the **Certificates & secrets** pane. -2. Select the **Federated credentials** tab. -3. Click on the **Add credential** button. This will start the "Add a credential" wizard. -4. In the wizard, select **Other Issuer** as the **Federated credential scenario**. -5. Fill in the remaining form fields as follows: - * **Issuer:** `https://api.pulumi.com/oidc` - * **Subject Identifier:** must be a valid subject claim (see examples at the end of this section). - * **Name:** An arbitrary name for the credential, e.g. "pulumi-oidc-credentials" - * **Audience:** This is different between Pulumi deployments and ESC. For Deployments this is only the name of your Pulumi organization. For ESC this is the name of your Pulumi organization prefixed with `azure:` (e.g. `azure:{org}`). -{{< notes type="info" >}} -For environments in the `default` project the audience will use just the Pulumi organization name. This is to prevent regressions for legacy environments. -{{< /notes >}} - -### Subject claim examples - -Depending on the Pulumi service you are configuring OIDC for, the value of the subject claim will be different. You can learn more about configuring OIDC with Pulumi by referring to the [relevant documentation](/docs/pulumi-cloud/oidc/). - -The below sections show examples that correspond to each OIDC-supported service. - -#### Pulumi Deployments - -Because Azure's federated credentials require that the subject identifier exactly matches an OIDC token's subject claim, this process must be repeated for each permutation of the subject claim that is possible for a stack. For example, in order to enable all of the valid operations on a stack named `dev` of the `core` project in the `contoso` organization, you would need to create credentials for each of the following subject identifiers: - -* `pulumi:deploy:org:contoso:project:core:stack:dev:operation:preview:scope:write` -* `pulumi:deploy:org:contoso:project:core:stack:dev:operation:update:scope:write` -* `pulumi:deploy:org:contoso:project:core:stack:dev:operation:refresh:scope:write` -* `pulumi:deploy:org:contoso:project:core:stack:dev:operation:destroy:scope:write` - -#### Pulumi ESC - -The below is an example of a valid subject claim for the `project/development` environment of the `contoso` organization: - -* `pulumi:environments:org:contoso:env:project/development` - -The default format of the subject claim when `subjectAttributes` are not used is `pulumi:environments:org::env:/` - -{{< notes type="warning" >}} - -For environments within the legacy `default` project, the project will **not** be present in the subject to preserve backwards compatibility. The format of the subject claim when `subjectAttributes` are not set is `pulumi:environments:org::env:`. If `currentEnvironment.name` is used as a custom subject attribute it will resolve to only the environment name (e.g. `pulumi:environments:pulumi.organization.login:contoso:currentEnvironment.name:development:pulumi.user.login:personA`). Due to this it is recommended to move your environments out of the `default` project for best security practices. - -{{< /notes >}} - -{{< notes type="warning" >}} - -If you are integrating Pulumi ESC with Pulumi IaC, the default subject identifier of the ESC environment will not work at this time. There is a [known issue](https://github.com/pulumi/pulumi/issues/14509) with the subject identifier's value sent to Azure from Pulumi. - -Use 'subjectAttributes' to customize the subject identifier to work with Pulumi IaC. Alternatively, you can use this syntax: `pulumi:environments:org:contoso:env:` when configuring the subject claim in your cloud provider account. Make sure to replace `contoso` with the name of your Pulumi organization and use the literal value of `` as shown. - -{{< /notes >}} - -##### Subject customization - -It is possible to customize the OIDC token subject claim by setting configuring the `subjectAttributes` setting. It expects an array of keys to include in it: - -* `rootEnvironment.name`: the name of the environment that is opened first. This root environment in turn opens other imported environments -* `currentEnvironment.name`: the full name (including the project) of the environment where the ESC login provider and `subjectAttributes` are defined -* `pulumi.user.login`: the login identifier of the user opening the environment -* `pulumi.organization.login`: the login identifier of the organization - -The subject always contains the following prefix `pulumi:environments:pulumi.organization.login:{ORGANIZATION_NAME}` and every key configured will be appended to this prefix. For example, consider the following environment: - -```yaml -values: - azure: - login: - fn::open::azure-login: - ... - subjectAttributes: - - currentEnvironment.name - - pulumi.user.login -``` - -The subject will be `pulumi:environments:pulumi.organization.login:contoso:currentEnvironment.name:project/development:pulumi.user.login:userLogin`. Note how the keys and values are appended along with the prefix. - -## Create a service principal - -To provide Pulumi services the ability to deploy, manage, and interact with Azure resources, you need to associate your Microsoft Entra application with your Subscription or Resource Group. - -1. Navigate to the [Subscriptions](https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBladeV1) page of the Azure portal. -2. Select the subscription to create the service principal in. - * If you want to limit access to a specific resource group, go to the [Resource Groups](https://portal.azure.com/#view/HubsExtension/BrowseResourceGroups) page instead and select the desired resource group. -3. In the left navigation menu, select **Access control (IAM)**. -4. Click **Add** > **Add role assignment** to be taken to the **Add role assignment** wizard. -5. Under the **Job function roles** tab, select the desired role from the list, then click **Next**. -6. Select **User, group, or service principal**, then click **Select members** -7. Enter the name of the application you created in a previous step, select it from the list, then click **Select**. -8. Click **Next** and then **Review + assign**. - -## Configure OIDC in the Pulumi console - -### Pulumi Deployments - -{{% notes "info" %}} -In addition to the Pulumi Console, deployment settings including OIDC can be configured for a stack using the [pulumiservice.DeploymentSettings](https://www.pulumi.com/registry/packages/pulumiservice/api-docs/deploymentsettings/) resource or via the [REST API](/docs/pulumi-cloud/deployments/api/#patchsettings). -{{% /notes %}} - -1. Navigate to your stack in the [Pulumi Console](https://app.pulumi.com/). -2. Open the stack's **Settings** tab. -3. Choose the **Deploy** panel. -4. Under the **OpenID Connect** header, toggle **Enable Azure Integration**. -5. Enter the client and tenant IDs for the app registration created above in the **Client ID** and **Tenant ID** fields, respectively. -6. Enter the ID of the subscription you want to use in the **Subscription ID** field. -7. Click the **Save deployment configuration** button. - -With this configuration, each deployment of this stack will attempt to exchange the deployment's OIDC token for Azure credentials using the specified AAD App prior to running any pre-commands or Pulumi operations. The fetched credentials are published in the `ARM_CLIENT_ID`, `ARM_TENANT_ID`, and `ARM_SUBSCRIPTION_ID` environment variables. The raw OIDC token is also available for advanced scenarios in the `PULUMI_OIDC_TOKEN` environment variable and the `/mnt/pulumi/pulumi.oidc` file. - -### Pulumi ESC - -To configure OIDC for Pulumi ESC, create a new environment in the [Pulumi Console](https://app.pulumi.com/). Make sure that you have the correct organization selected in the left-hand navigation menu. Then: - -1. Click the **Environments** link. -2. Click the **Create environment** button. -3. Provide a project to create your new environment in and a name for your environment. - * This should be the same as the identifier provided in the subject claim of your federated credentials. -4. Click the **Create environment** button. - {{< video title="Creating a new Pulumi ESC environment" src="https://www.pulumi.com/uploads/create-new-environment.mp4" autoplay="true" loop="true" >}} -5. You will be presented with a split-pane view. Delete the default placeholder content in the editor and replace it with the following code: - - ```yaml - values: - azure: - login: - fn::open::azure-login: - clientId: - tenantId: - subscriptionId: /subscriptions/ - oidc: true - environmentVariables: - ARM_USE_OIDC: 'true' - ARM_CLIENT_ID: ${azure.login.clientId} - ARM_TENANT_ID: ${azure.login.tenantId} - ARM_OIDC_TOKEN: ${azure.login.oidc.token} - ARM_SUBSCRIPTION_ID: ${azure.login.subscriptionId} - ``` - -6. Replace ``, ``, and `` with the values from the previous steps. -7. Scroll to the bottom of the page and click **Save**. - -You can validate that your configuration is working by running either of the following: - -* `esc open //` command of the [ESC CLI](/docs/esc-cli/) -* `pulumi env open //` command of the [Pulumi CLI](/docs/install/) - -Make sure to replace ``, ``, and `` with the values of your Pulumi organization, project, and environment file respectively. You should see output similar to the following: - -```bash -{ - "azure": { - "login": { - "clientId": "b537....", - "oidc": { - "token": "eyJh...." - }, - "subscriptionId": "0282....", - "tenantId": "7061...." - } - }, - "environmentVariables": { - "ARM_CLIENT_ID": "b537....", - "ARM_OIDC_TOKEN": "eyJh....", - "ARM_SUBSCRIPTION_ID": "0282....", - "ARM_TENANT_ID": "7061....", - "ARM_USE_OIDC": "true" - } -} -``` - -To learn more about how to set up and use the various providers in Pulumi ESC, please refer to the [relevant Pulumi documentation](/docs/esc/integrations/) - -## Automate OIDC configuration - -Our [Examples](https://github.com/pulumi/examples) repository provides a wide variety of automations using Pulumi Infrastructure as Code (IaC). If you want to automate the configuration and deployment of OIDC between Pulumi and Azure, take a look at the following examples to help you get started: - -* [Configure OIDC for ESC in Pulumi Python](https://github.com/pulumi/examples/tree/master/azure-py-oidc-provider-pulumi-cloud) -* [Configure OIDC for Deployments in Pulumi TypeScript](https://github.com/pulumi/workshops/blob/main/az-pulumi-deployments/az-oidc-setup/index.ts) diff --git a/content/docs/pulumi-cloud/access-management/oidc/provider/gcp.md b/content/docs/pulumi-cloud/access-management/oidc/provider/gcp.md deleted file mode 100644 index 06b7f898598a..000000000000 --- a/content/docs/pulumi-cloud/access-management/oidc/provider/gcp.md +++ /dev/null @@ -1,221 +0,0 @@ ---- -title_tag: Configure OpenID Connect for Google Cloud | OIDC -meta_desc: This page describes how to configure OIDC token exchange in Google Cloud for use with Pulumi -title: Google Cloud -h1: Configuring OpenID Connect for Google Cloud -meta_image: /images/docs/meta-images/docs-meta.png -menu: - cloud: - name: Google Cloud - parent: pulumi-cloud-access-management-oidc-provider - weight: 3 - identifier: pulumi-cloud-access-management-oidc-provider-gcp -aliases: -- /docs/guides/oidc/provider/gcp -- /docs/intro/deployments/oidc/provider/gcp/ -- /docs/pulumi-cloud/deployments/oidc/provider/gcp/ -- /docs/pulumi-cloud/oidc/provider/gcp/ -- /docs/pulumi-cloud/oidc/gcp/ ---- - -This document outlines the steps required to configure Pulumi to use OpenID Connect to authenticate with Google Cloud. OIDC in Google Cloud uses [workload identity federation](https://cloud.google.com/iam/docs/workload-identity-federation) to allow access to resources. Access to the resources is authorized using attribute conditions that validate the contents of the OIDC token issued by the Pulumi Cloud. - -## Prerequisites - -* You must create a [Google Cloud project with the required APIs enabled](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#configure) - -{{< notes type="warning" >}} -Please note that this guide provides step-by-step instructions based on the official provider documentation which is subject to change. For the most current and precise information, always refer to the official [Google Cloud documentation](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers). -{{< /notes >}} - -## Create a Workload Identity Pool and Provider - -1. Navigate to the [Workload Identity Pools page](https://console.cloud.google.com/projectselector2/iam-admin/workload-identity-pools) in the Google Cloud console. -2. Select your Google Cloud project. -3. Click the **Create Pool** button. -4. Provide a name and an optional description. then click **Continue** -5. In the **Add a provider to pool** dropdown, select **OpenID Connect (OIDC)**. -6. Provide a name for the provider. -7. In the **Issuer** field, enter `https://api.pulumi.com/oidc`. -8. In the **Audiences** section, select the **Allowed audiences** radio button. The value for this field is different between pulumi deployments and ESC. For Deployments enter just the name of your Pulumi organization. For ESC enter the name of your Pulumi organization prefixed with `gcp:` (e.g. `gcp:{org}`). Then click **Continue**. - {{< notes type="info" >}} - For environments in the `default` project the audience will use just the Pulumi organization name. This is to prevent regressions for legacy environments. - {{< /notes >}} -9. In the **Configure provider attributes** section, provide the value of `assertion.sub` in the **OIDC 1** field. Then click **Save**. - -## Configure a Service Account - -Once you have created your workload identity pool and provider, you will be directed to the pool details page. If you already have an appropriate service account created, skip ahead to the steps found in the [Grant access to the service account](/docs/pulumi-cloud/oidc/provider/gcp/#grant-access-to-the-service-account) section. Otherwise, continue through the steps below to create a new one. - -### Create a new service account - -1. Navigate to the [Service Accounts](https://console.cloud.google.com/projectselector2/iam-admin/serviceaccounts) page. -2. Select your Google Cloud project. -3. Click "Create Service Account". -4. Enter a value for the **Service account name** field. Then click **Create And Continue** - * The **Service account ID** field will auto-populate based on this value. -5. In the **Grant this service account access to project** section, select the role(s) that provides the relevant access to your Pulumi service. Then click **Continue**. -6. Leave the values in the next section blank and click **Done**. - -### Grant access to the service account - -1. In your workload identity pool's details page, click the **Grant Access** button. -2. In the **Select service account** dropdown, select the desired service account to associate with the pool. -3. Under the **Select principals** section, click the **Only identities matching the filter** radio button. -4. In the **Attribute name** dropdown, select **Subject**. -5. In the **Attribute value** field, provide a valid subject claim (see examples at the end of this section). Then click **Save**. - -Make a note of the project ID, workload identity pool ID, provider ID, and service account email address from the previous steps. These will be necessary to enable OIDC for your service. - -### Subject claim examples - -Depending on the Pulumi service you are configuring OIDC for, the value of the subject claim will be different. You can learn more about configuring OIDC with Pulumi by referring to the [relevant documentation](/docs/pulumi-cloud/oidc/). - -The below sections show examples that correspond to each OIDC-supported service. - -#### Pulumi Deployments - -To enable valid operations on a specific stack, Google federated credentials require an exact match on the OIDC token subject claim. Unfortunately, the subject identifier does *not* currently allow wildcards. Therefore, you must create credentials for each permutation of the subject claim that is possible for the stack. - -For example, to enable all of the valid operations on a stack named `dev` of the `core` project in the `contoso` organization, you would need to create credentials for each of the following subject identifiers: - -* `pulumi:deploy:org:contoso:project:core:stack:dev:operation:preview:scope:write` -* `pulumi:deploy:org:contoso:project:core:stack:dev:operation:update:scope:write` -* `pulumi:deploy:org:contoso:project:core:stack:dev:operation:refresh:scope:write` -* `pulumi:deploy:org:contoso:project:core:stack:dev:operation:destroy:scope:write` - -#### Pulumi ESC - -The below is an example of a valid subject claim for the `project/development` environment of the `contoso` organization: - -* `pulumi:environments:org:contoso:env:project/development` - -The default format of the subject claim when `subjectAttributes` are not used is `pulumi:environments:org::env:/` - -{{< notes type="warning" >}} - -For environments within the legacy `default` project, the project will **not** be present in the subject to preserve backwards compatibility. The format of the subject claim when `subjectAttributes` are not set is `pulumi:environments:org::env:`. If `currentEnvironment.name` is used as a custom subject attribute it will resolve to only the environment name (e.g. `pulumi:environments:pulumi.organization.login:contoso:currentEnvironment.name:development:pulumi.user.login:personA`). Due to this it is recommended to move your environments out of the `default` project for best security practices. - -{{< /notes >}} - -You can learn more about setting up OIDC for Pulumi ESC by referring to the [relevant Pulumi documentation](/docs/pulumi-cloud/access-management/oidc/). - -{{< notes type="warning" >}} - -If you are integrating Pulumi ESC with Pulumi IaC, the default subject identifier of the ESC environment will not work at this time. There is a [known issue](https://github.com/pulumi/pulumi/issues/14509) with the subject identifier's value sent to Azure from Pulumi. - -Use 'subjectAttributes' to customize the subject identifier to work with Pulumi IaC. Alternatively, you can use this syntax: `pulumi:environments:org:contoso:env:` when configuring the subject claim in your cloud provider account. Make sure to replace `contoso` with the name of your Pulumi organization and use the literal value of `` as shown. - -{{< /notes >}} - -##### Subject customization - -It is possible to customize the OIDC token subject claim by setting configuring the `subjectAttributes` setting. It expects an array of keys to include in it: - -* `rootEnvironment.name`: the name of the environment that is opened first. This root environment in turn opens other imported environments -* `currentEnvironment.name`: the full name (including the project) of the environment where the ESC login provider and `subjectAttributes` are defined -* `pulumi.user.login`: the login identifier of the user opening the environment -* `pulumi.organization.login`: the login identifier of the organization - -The subject always contains the following prefix `pulumi:environments:pulumi.organization.login:{ORGANIZATION_NAME}` and every key configured will be appended to this prefix. For example, consider the following environment: - -```yaml -values: - gcp: - login: - fn::open::gcp-login: - oidc: - ... - subjectAttributes: - - currentEnvironment.name - - pulumi.user.login -``` - -The subject will be `pulumi:environments:pulumi.organization.login:contoso:currentEnvironment.name:project/development:pulumi.user.login:userLogin`. Note how the keys and values are appended along with the prefix. - -## Configure OIDC in the Pulumi Console - -### Pulumi Deployments - -{{% notes "info" %}} -In addition to the Pulumi Console, deployment settings including OIDC can be configured for a stack using the [pulumiservice.DeploymentSettings](https://www.pulumi.com/registry/packages/pulumiservice/api-docs/deploymentsettings/) resource or via the [REST API](/docs/pulumi-cloud/deployments/api/#patchsettings). -{{% /notes %}} - -1. Navigate to your stack in the Pulumi Console. -2. Open the stack's "Settings" tab. -3. Choose the "Deploy" panel. -4. Under the "OpenID Connect" header, toggle "Enable Google Cloud Integration". -5. Enter the numerical ID of your Google Cloud project in the "Project Number" field. -6. Enter the workload pool ID, identity provider ID, and service account email address in the "Workload Pool ID", "Identity Provider ID", and "Service Account Email Address" fields. -7. If desired, enter the stack's Google Cloud region in the "Region" field. This is typically unnecessary. -8. If you would like to constrain the duration of the temporary Google Cloud credentials, enter a duration in the form "XhYmZs" in the "Session Duration" field. -9. Click the "Save deployment configuration" button. - -With this configuration, each deployment of this stack will attempt to exchange the deployment's OIDC token for Google Cloud credentials using the specified federated identity prior to running any pre-commands or Pulumi operations. The fetched credentials are published as a credential configuration in the `GOOGLE_CREDENTIALS` environment variable. The raw OIDC token is also available for advanced scenarios in the `PULUMI_OIDC_TOKEN` environment variable and the `/mnt/pulumi/pulumi.oidc` file. - -### Pulumi ESC - -To configure OIDC for Pulumi ESC, create a new environment in the [Pulumi Console](https://app.pulumi.com/). Make sure that you have the correct organization selected in the left-hand navigation menu. Then: - -1. Click the **Environments** link. -2. Click the **Create environment** button. -3. Provide a project to create your new environment in and a name for your environment. - * This should be the same as the identifier provided in the subject claim of your federated credentials. -4. Click the **Create environment** button. - {{< video title="Creating a new Pulumi ESC environment" src="https://www.pulumi.com/uploads/create-new-environment.mp4" autoplay="true" loop="true" >}} -5. You will be presented with a split-pane document and table view. Delete the default placeholder content in the editor and replace it with the following code: - - ```yaml - values: - gcp: - login: - fn::open::gcp-login: - project: - oidc: - workloadPoolId: - providerId: - serviceAccount: - environmentVariables: - GOOGLE_PROJECT: ${gcp.login.project} - CLOUDSDK_AUTH_ACCESS_TOKEN: ${gcp.login.accessToken} - pulumiConfig: - gcp:accessToken: ${gcp.login.accessToken} - ``` - -6. Replace ``, ``, ``, and `` with the values from the previous steps. -7. Scroll to the bottom of the page and click **Save**. - -You can validate that your configuration is working by running either of the following: - -* `esc open //` command of the [ESC CLI](/docs/esc-cli/) -* `pulumi env open //` command of the [Pulumi CLI](/docs/install/) - -Make sure to replace ``, ``, and `` with the values of your Pulumi organization, project, and environment file respectively. You should see output similar to the following: - -```bash -{ - "environmentVariables": { - "GOOGLE_PROJECT": 111111111111 - "CLOUDSDK_AUTH_ACCESS_TOKEN": "ya29...." - }, - "gcp": { - "login": { - "accessToken": "ya29.....", - "expiry": "2023-11-09T11:12:41Z", - "project": 111111111111, - "tokenType": "Bearer" - } - }, - "pulumiConfig": { - "gcp:accessToken": "ya29...." - } -} -``` - -To learn more about how to set up and use the various providers in Pulumi ESC, please refer to the [relevant Pulumi documentation](/docs/pulumi-cloud/esc/providers/). - -## Automate OIDC Configuration - -Our [Examples](https://github.com/pulumi/examples) repository provides a wide variety of example automations using Pulumi Infrastructure as Code (IaC). If you want to automate the configuration and deployment of OIDC between Pulumi and GCP, take a look at the following examples to help you get started: - -* [Configure OIDC for ESC in Pulumi Python](https://github.com/pulumi/examples/tree/master/gcp-py-oidc-provider-pulumi-cloud) diff --git a/content/docs/pulumi-cloud/access-management/oidc/provider/_index.md b/content/docs/pulumi-cloud/deployments/oidc/_index.md similarity index 50% rename from content/docs/pulumi-cloud/access-management/oidc/provider/_index.md rename to content/docs/pulumi-cloud/deployments/oidc/_index.md index 093c36a3963f..2a104df5b52c 100644 --- a/content/docs/pulumi-cloud/access-management/oidc/provider/_index.md +++ b/content/docs/pulumi-cloud/deployments/oidc/_index.md @@ -1,53 +1,59 @@ --- -title_tag: OpenID Connect provider integration for Pulumi -meta_desc: This page provides an overview of how to configure OpenID Connect integration between - Pulumi and supported cloud providers. -title: OpenID provider -h1: OpenID Connect provider integration +title_tag: OIDC Setup for Pulumi Deployments +meta_desc: This page provides an overview of how to set up OIDC for Pulumi Deployments to obtain cloud provider credentials +title: OIDC Setup +h1: OIDC Setup for Pulumi Deployments meta_image: /images/docs/meta-images/docs-meta.png menu: cloud: - name: OpenID provider - parent: pulumi-cloud-access-management-oidc - weight: 3 - identifier: pulumi-cloud-access-management-oidc-provider + name: OIDC Setup + parent: pulumi-cloud-deployments + weight: 4 + identifier: pulumi-cloud-deployments-oidc aliases: +- /docs/pulumi-cloud/oidc/ +- /docs/pulumi-cloud/access-management/oidc/ - /docs/pulumi-cloud/oidc/provider/ +- /docs/pulumi-cloud/access-management/oidc/provider/ --- -Pulumi supports OpenID Connect (OIDC) integration across various services. OIDC enables secure interactions between Pulumi services and cloud providers by leveraging signed, short-lived tokens issued by the Pulumi Cloud. This mechanism enhances security by eliminating the necessity for hardcoded cloud provider credentials and facilitates the exchange of these tokens for short-term credentials from your cloud provider. +Pulumi Deployments supports OpenID Connect (OIDC) integration with cloud providers, enabling your deployments to obtain short-lived cloud credentials without storing long-term secrets. This page explains how to set up OIDC for Pulumi Deployments to access resources in your cloud provider accounts. + +{{% notes type="info" %}} +Pulumi ESC provides a more portable and easier-to-set-up alternative to the Deployments OIDC integration described here. For most use cases, we recommend using [Pulumi ESC for OIDC configuration](/docs/esc/environments/configuring-oidc/). +{{% /notes %}} ## Overview -For Pulumi services that make use of OIDC, every time that service runs, the Pulumi Cloud issues a new OIDC token specific to that run. The OIDC token is a short-lived, signed [JSON Web Token](https://jwt.io) that contains information about the service, and that can be exchanged for credentials from a cloud provider. For AWS, Azure, and Google Cloud, this credential exchange can be done automatically as part of the service setup. +Pulumi Deployments can act as an OIDC provider, issuing signed, short-lived tokens that can be exchanged for temporary credentials with your cloud provider. This eliminates the need to store long-term cloud provider credentials in Pulumi Cloud. -## Token Claims +Every time a deployment runs, Pulumi Cloud issues a new OIDC token specific to that run. The OIDC token is a short-lived, signed [JSON Web Token](https://jwt.io) that contains information about the deployment, and that can be exchanged for credentials from a cloud provider. For AWS, Azure, and Google Cloud, this credential exchange can be done automatically as part of the deployment setup. + +If you're looking for information about the permissions a deployment has within Pulumi Cloud itself (rather than cloud provider permissions), see the [Deployment Permissions documentation](/docs/pulumi-cloud/deployments/reference/#deployment-permissions). -### Pulumi Deployments +{{% notes type="info" %}} +Pulumi Cloud can also act as an OIDC client, accepting tokens from trusted identity providers. This is a separate feature from the Deployments OIDC integration and is documented in the [OIDC Client documentation](/docs/pulumi-cloud/access-management/oidc/client/). +{{% /notes %}} + +## Token Claims The token contains the standard audience, issuer, and subject claims: | Claim | Description | |-------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `aud` | _(Audience)_ The name of the organization associated with the deployment. | -| `iss` | _(Issuer)_ The issuer of the OIDC token: `https://api.pulumi.com/oidc`. | +| `aud` | _(Audience)_ The name of the organization associated with the deployment. | +| `iss` | _(Issuer)_ The issuer of the OIDC token: `https://api.pulumi.com/oidc`. | | `sub` | _(Subject)_ The subject of the OIDC token. Because this value is often used for configuring trust relationships, the subject claim contains information about the associated service. Each component of the subject claim is also available as a custom claim. | -### Pulumi ESC - -For details on how Pulumi ESC environments interact with OIDC token claims, see [Configuring OIDC for Pulumi ESC](/docs/esc/environments/configuring-oidc/). - ## Custom claims -For some services, the token also contains custom claims that provide additional, service-specific information. You can find more details about the available custom claims below. - -### Pulumi Deployments +The token also contains custom claims that provide additional, deployment-specific information. -The format of the subject claim for this service is: +The format of the subject claim for deployments is: `pulumi:deploy:org::project::stack::operation::scope:write` -Valid custom claims for this service are listed in the table below: +Valid custom claims for deployments are listed in the table below: | Claim | Description | |--------------|---------------------------------------------------------------------------------| @@ -59,26 +65,21 @@ Valid custom claims for this service are listed in the table below: | `deployment` | The deployment version. | | `scope` | The scope of the OIDC token. Always `write`. | -### Pulumi ESC - -For details on how Pulumi ESC environments interact with OIDC custom claims, see [Configuring OIDC for Pulumi ESC](/docs/esc/access-management/oidc/). - ## Configuring trust relationships -As part of the process that exchanges your service's OIDC token for cloud provider credentials, the cloud provider must check the OIDC token's claims against the conditions configured in the provider's trust relationship. The configuration of a trust relationship varies depending on the cloud provider, but typically uses at least the Audience, Subject, and Issuer claims. These claims can be used to restrict trust to specific organizations, projects, stacks, environments etc: +As part of the process that exchanges your deployment's OIDC token for cloud provider credentials, the cloud provider must check the OIDC token's claims against the conditions configured in the provider's trust relationship. The configuration of a trust relationship varies depending on the cloud provider, but typically uses at least the Audience, Subject, and Issuer claims. These claims can be used to restrict trust to specific organizations, projects, stacks, etc: * The Issuer claim is typically used to validate that the token is properly signed. The issuer's public signing key is fetched and used to validate the token's signature. -* The Audience claim can vary between Deployment and ESC. For deployments this claim contains the name of the organization associated with the deployment. For ESC this claim contains the name of the organization, prefixed with the provider's platform (`aws`, `azure`, `gcp`). You can use this claim to restrict credentials to a specific organization or organizations. -* The Subject claim contains a variety of information about the service. You can use this claim to restrict credentials to a specific organization/scope. +* The Audience claim contains the name of the organization associated with the deployment. You can use this claim to restrict credentials to a specific organization. +* The Subject claim contains a variety of information about the deployment. You can use this claim to restrict credentials to a specific organization, project, stack, etc. * The various custom claims contain the same information as the Subject claim. If your cloud provider supports configuring trust relationships based on custom claims, you can use these claims for the same purposes as the Subject claim. The Subject and custom claims are particularly useful for configuring trust relationships, as they allow you to set very fine-grained conditions for credentials. -## Configuring OpenID Connect for your cloud provider +## Cloud Provider Setup -To configure OIDC for your cloud provider, refer to one of our guides: +To configure OIDC for your cloud provider with Pulumi Deployments, refer to one of these guides: -* [Configuring OIDC for AWS](/docs/pulumi-cloud/oidc/provider/aws/) -* [Configuring OIDC for Azure](/docs/pulumi-cloud/oidc/provider/azure/) -* [Configuring OIDC for Google Cloud](/docs/pulumi-cloud/oidc/provider/gcp/) -* [Configuring OIDC for Vault](/docs/pulumi-cloud/oidc/provider/vault/) +* [Configuring OIDC for AWS](/docs/pulumi-cloud/deployments/oidc/provider/aws/) +* [Configuring OIDC for Azure](/docs/pulumi-cloud/deployments/oidc/provider/azure/) +* [Configuring OIDC for Google Cloud](/docs/pulumi-cloud/deployments/oidc/provider/gcp/) diff --git a/content/docs/pulumi-cloud/deployments/oidc/aws.md b/content/docs/pulumi-cloud/deployments/oidc/aws.md new file mode 100644 index 000000000000..fb60739a1344 --- /dev/null +++ b/content/docs/pulumi-cloud/deployments/oidc/aws.md @@ -0,0 +1,86 @@ +--- +title_tag: Configure OpenID Connect for AWS with Pulumi Deployments | OIDC +meta_desc: This page describes how to configure OIDC token exchange in AWS for use with Pulumi Deployments +title: AWS +h1: Configuring OpenID Connect for AWS with Pulumi Deployments +meta_image: /images/docs/meta-images/docs-meta.png +menu: + cloud: + name: AWS + parent: pulumi-cloud-deployments-oidc + weight: 1 + identifier: pulumi-cloud-deployments-oidc-aws +aliases: +- /docs/guides/oidc/provider/aws +- /docs/intro/deployments/oidc/provider/aws/ +- /docs/pulumi-cloud/deployments/oidc/provider/aws/ +- /docs/pulumi-cloud/oidc/provider/aws/ +- /docs/pulumi-cloud/oidc/aws/ +- /docs/pulumi-cloud/access-management/oidc/provider/aws/ +--- + +{{% notes type="info" %}} +Pulumi ESC provides a more portable and easier-to-set-up alternative to the Deployments OIDC integration described here. For most use cases, we recommend using [Pulumi ESC for AWS OIDC configuration](/docs/esc/environments/configuring-oidc/aws/). +{{% /notes %}} + +This document outlines the steps required to configure Pulumi Deployments to use OpenID Connect to authenticate with AWS. OIDC in AWS uses a web identity provider to assume an IAM role. Access to the IAM role is authorized using a trust policy that validates the contents of the OIDC token issued by Pulumi Cloud. + +## Create the identity provider + +1. In the navigation pane of the [IAM console](https://console.aws.amazon.com/iam/), choose **Identity providers**, and then choose **Add provider**. + {{< video title="Starting the Create Identity Provider wizard" src="https://www.pulumi.com/uploads/create-idp-start.mp4" autoplay="true" loop="true" >}} +2. In the **Provider type** section, click the radio button next to **OpenID Connect**. +3. For the **Provider URL**, provide the following URL: `https://api.pulumi.com/oidc` +4. For the **Audience** field, enter the name of your Pulumi organization. Then click **Add provider**. + +## Configure the IAM role and trust policy + +Once you have created the identity provider, you will see a notification at the top of your screen prompting you to assign an IAM role. + +1. Click the **Assign role** button. +2. Select the **Create a new role** option, then click **Next**. + {{< video title="Prompt for assigning IAM role" src="https://www.pulumi.com/uploads/assign-iam-role-prompt.mp4" autoplay="true" loop="true" >}} +3. On the IAM **Create role** page, ensure the **Web identity** radio button is selected. +4. In the **Web identity** section: + * Select `api.pulumi.com/oidc` under **Identity provider**. + * Select the name of your Pulumi organization under **Audience**. Then click **Next**. + {{< video title="Create IAM role wizard" src="https://www.pulumi.com/uploads/create-role-wizard.mp4" autoplay="true" loop="true" >}} +5. On the **Add permissions** page, select the permissions that you want to grant to your Pulumi deployments. `AdministratorAccess` will be required most of the time as most AWS workloads require creating IAM resources, which in turn require full admin access. Then click **Next**. + {{< video title="Adding S3 permissions to IAM role" src="https://www.pulumi.com/uploads/create-role-add-perms.mp4" autoplay="true" loop="true" >}} +6. Provide a name and optional description for the IAM role. Then click **Create role**. + {{< video title="Adding name and description to role then creating it" src="https://www.pulumi.com/uploads/create-role.mp4" autoplay="true" loop="true" >}} + +Make a note of the IAM role's ARN; it will be necessary to enable OIDC for your deployment. + +For more granular access control, edit the trust policy of your IAM role with [Token claims](/docs/pulumi-cloud/deployments/oidc/#custom-claims). The `sub` claim can be customized as shown below. + +In the following example, the role may only be assumed by stacks within the `Core` project of the `contoso` organization: + +```json +"Condition": { + "StringEquals": { + "api.pulumi.com/oidc:aud": "contoso" + }, + "StringLike": { + "api.pulumi.com/oidc:sub": "pulumi:deploy:org:contoso:project:Core:*" + } +} +``` + +## Configure OIDC via the Pulumi console + +{{% notes "info" %}} +In addition to the Pulumi Console, deployment settings including OIDC can be configured for a stack using the [pulumiservice.DeploymentSettings](https://www.pulumi.com/registry/packages/pulumiservice/api-docs/deploymentsettings/) resource or via the [REST API](/docs/pulumi-cloud/deployments/api/#patchsettings). +{{% /notes %}} + +1. Navigate to your stack in the Pulumi Console. +2. Open the stack's "Settings" tab. +3. Choose the "Deploy" panel. +4. Under the "OpenID Connect" header, toggle "Enable AWS Integration". +5. Enter the ARN of the IAM role created above in the "Role ARN" field. +6. Enter a name for the assumed role session in the "Session Name" field. +7. If you would like to use additional policies to further constrain the session's capabilities, enter the policies' ARNs separated by commas in the "Policy ARNs" field. +8. If you would like to constrain the duration of the assumed role session, enter a duration in the form "XhYmZs" in the "Session Duration" field. +9. Click the "Save deployment configuration" button. + +With this configuration, each deployment of this stack will attempt to exchange the deployment's OIDC token for AWS credentials using the specified IAM role prior to running any pre-commands or Pulumi operations. The fetched credentials are published in the `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN` environment variables. The raw OIDC token is also available for advanced scenarios in the `PULUMI_OIDC_TOKEN` environment variable and the `/mnt/pulumi/pulumi.oidc` file. diff --git a/content/docs/pulumi-cloud/deployments/oidc/azure.md b/content/docs/pulumi-cloud/deployments/oidc/azure.md new file mode 100644 index 000000000000..b09a2049420b --- /dev/null +++ b/content/docs/pulumi-cloud/deployments/oidc/azure.md @@ -0,0 +1,106 @@ +--- +title_tag: Configure OpenID Connect for Azure with Pulumi Deployments | OIDC +meta_desc: This page describes how to configure OIDC token exchange in Azure for use with Pulumi Deployments +title: Azure +h1: Configuring OpenID Connect for Azure with Pulumi Deployments +meta_image: /images/docs/meta-images/docs-meta.png +menu: + cloud: + name: Azure + parent: pulumi-cloud-deployments-oidc + weight: 2 + identifier: pulumi-cloud-deployments-oidc-azure +aliases: +- /docs/guides/oidc/provider/azure +- /docs/intro/deployments/oidc/provider/azure/ +- /docs/pulumi-cloud/deployments/oidc/provider/azure/ +- /docs/pulumi-cloud/oidc/provider/azure/ +- /docs/pulumi-cloud/oidc/azure/ +- /docs/pulumi-cloud/access-management/oidc/provider/azure/ +--- + +{{% notes type="info" %}} +Pulumi ESC provides a more portable and easier-to-set-up alternative to the Deployments OIDC integration described here. For most use cases, we recommend using [Pulumi ESC for Azure OIDC configuration](/docs/esc/environments/configuring-oidc/azure/). +{{% /notes %}} + +This document outlines the steps required to configure Pulumi Deployments to use OpenID Connect to authenticate with Azure. OIDC in Azure uses [workload identity federation](https://learn.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation) to access Azure resources via a Microsoft Entra App. Access to the temporary credentials is authorized using federated credentials that validate the contents of the OIDC token issued by Pulumi Cloud. + +## Prerequisites + +* You must have access in the Azure Portal to create and configure Microsoft Entra App registrations. + +{{< notes type="warning" >}} +Please note that this guide provides step-by-step instructions based on the official provider documentation which is subject to change. For the most current and precise information, always refer to the [official Azure documentation](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal). +{{< /notes >}} + +## Create a Microsoft Entra application + +In the navigation pane of the [Microsoft Entra console](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview): + +1. Select **App registrations** and then click **New registration**. +2. Provide a name for your application (ex: `pulumi-deployments-oidc-app`). +3. In the **Supported account types** section, select **Accounts in this organizational directory only**. +4. Click **Register**. + +After the Microsoft Entra application has been created, take note of the following details: + +* Subscription ID +* Application (client) ID +* Directory (tenant) ID + +These values will be necessary when enabling OIDC for your service. + +## Add federated credentials + +Once you have created your new application registration, you will be redirected to the application's **Overview** page. In the left navigation menu: + +1. Navigate to the **Certificates & secrets** pane. +2. Select the **Federated credentials** tab. +3. Click on the **Add credential** button. This will start the "Add a credential" wizard. +4. In the wizard, select **Other Issuer** as the **Federated credential scenario**. +5. Fill in the remaining form fields as follows: + * **Issuer:** `https://api.pulumi.com/oidc` + * **Subject Identifier:** must be a valid subject claim (see examples at the end of this section). + * **Name:** An arbitrary name for the credential, e.g. "pulumi-oidc-credentials". + * **Audience:** Enter the name of your Pulumi organization. + +### Subject claim examples + +Because Azure's federated credentials require that the subject identifier exactly matches an OIDC token's subject claim, this process must be repeated for each permutation of the subject claim that is possible for a stack. For example, in order to enable all of the valid operations on a stack named `dev` of the `core` project in the `contoso` organization, you would need to create credentials for each of the following subject identifiers: + +* `pulumi:deploy:org:contoso:project:core:stack:dev:operation:preview:scope:write` +* `pulumi:deploy:org:contoso:project:core:stack:dev:operation:update:scope:write` +* `pulumi:deploy:org:contoso:project:core:stack:dev:operation:refresh:scope:write` +* `pulumi:deploy:org:contoso:project:core:stack:dev:operation:destroy:scope:write` + +## Create a service principal + +To provide Pulumi services the ability to deploy, manage, and interact with Azure resources, you need to associate your Microsoft Entra application with your Subscription or Resource Group. + +1. Navigate to the [Subscriptions](https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBladeV1) page of the Azure portal. +2. Select the subscription to create the service principal in. + * If you want to limit access to a specific resource group, go to the [Resource Groups](https://portal.azure.com/#view/HubsExtension/BrowseResourceGroups) page instead and select the desired resource group. +3. In the left navigation menu, select **Access control (IAM)**. +4. Click **Add** > **Add role assignment** to be taken to the **Add role assignment** wizard. +5. Under the **Job function roles** tab, select the desired role from the list, then click **Next**. +6. Select **User, group, or service principal**, then click **Select members** +7. Enter the name of the application you created in a previous step, select it from the list, then click **Select**. +8. Click **Next** and then **Review + assign**. + +## Configure OIDC in the Pulumi console + +{{% notes "info" %}} +In addition to the Pulumi Console, deployment settings including OIDC can be configured for a stack using the [pulumiservice.DeploymentSettings](https://www.pulumi.com/registry/packages/pulumiservice/api-docs/deploymentsettings/) resource or via the [REST API](/docs/pulumi-cloud/deployments/api/#patchsettings). +{{% /notes %}} + +1. Navigate to your stack in the [Pulumi Console](https://app.pulumi.com/). +2. Open the stack's **Settings** tab. +3. Choose the **Deploy** panel. +4. Under the **OpenID Connect** header, toggle **Enable Azure Integration**. +5. Enter the client and tenant IDs for the app registration created above in the **Client ID** and **Tenant ID** fields, respectively. +6. Enter the ID of the subscription you want to use in the **Subscription ID** field. +7. Click the **Save deployment configuration** button. + +With this configuration, each deployment of this stack will attempt to exchange the deployment's OIDC token for Azure credentials using the specified AAD App prior to running any pre-commands or Pulumi operations. The fetched credentials are published in the `ARM_CLIENT_ID`, `ARM_TENANT_ID`, and `ARM_SUBSCRIPTION_ID` environment variables. The raw OIDC token is also available for advanced scenarios in the `PULUMI_OIDC_TOKEN` environment variable and the `/mnt/pulumi/pulumi.oidc` file. + +If you want an example of how to automate the configuration of OIDC for Pulumi Deployments with Azure, you can refer to [this TypeScript example](https://github.com/pulumi/workshops/blob/main/az-pulumi-deployments/az-oidc-setup/index.ts). diff --git a/content/docs/pulumi-cloud/deployments/oidc/gcp.md b/content/docs/pulumi-cloud/deployments/oidc/gcp.md new file mode 100644 index 000000000000..0975089534c7 --- /dev/null +++ b/content/docs/pulumi-cloud/deployments/oidc/gcp.md @@ -0,0 +1,99 @@ +--- +title_tag: Configure OpenID Connect for Google Cloud with Pulumi Deployments | OIDC +meta_desc: This page describes how to configure OIDC token exchange in Google Cloud for use with Pulumi Deployments +title: Google Cloud +h1: Configuring OpenID Connect for Google Cloud with Pulumi Deployments +meta_image: /images/docs/meta-images/docs-meta.png +menu: + cloud: + name: Google Cloud + parent: pulumi-cloud-deployments-oidc + weight: 3 + identifier: pulumi-cloud-deployments-oidc-gcp +aliases: +- /docs/guides/oidc/provider/gcp +- /docs/intro/deployments/oidc/provider/gcp/ +- /docs/pulumi-cloud/deployments/oidc/provider/gcp/ +- /docs/pulumi-cloud/oidc/provider/gcp/ +- /docs/pulumi-cloud/oidc/gcp/ +- /docs/pulumi-cloud/access-management/oidc/provider/gcp/ +--- + +{{% notes type="info" %}} +Pulumi ESC provides a more portable and easier-to-set-up alternative to the Deployments OIDC integration described here. For most use cases, we recommend using [Pulumi ESC for Google Cloud OIDC configuration](/docs/esc/environments/configuring-oidc/gcp/). +{{% /notes %}} + +This document outlines the steps required to configure Pulumi Deployments to use OpenID Connect to authenticate with Google Cloud. OIDC in Google Cloud uses [workload identity federation](https://cloud.google.com/iam/docs/workload-identity-federation) to allow access to resources. Access to the resources is authorized using attribute conditions that validate the contents of the OIDC token issued by Pulumi Cloud. + +## Prerequisites + +* You must create a [Google Cloud project with the required APIs enabled](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#configure) + +{{< notes type="warning" >}} +Please note that this guide provides step-by-step instructions based on the official provider documentation which is subject to change. For the most current and precise information, always refer to the official [Google Cloud documentation](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers). +{{< /notes >}} + +## Create a Workload Identity Pool and Provider + +1. Navigate to the [Workload Identity Pools page](https://console.cloud.google.com/projectselector2/iam-admin/workload-identity-pools) in the Google Cloud console. +2. Select your Google Cloud project. +3. Click the **Create Pool** button. +4. Provide a name and an optional description, then click **Continue** +5. In the **Add a provider to pool** dropdown, select **OpenID Connect (OIDC)**. +6. Provide a name for the provider. +7. In the **Issuer** field, enter `https://api.pulumi.com/oidc`. +8. In the **Audiences** section, select the **Allowed audiences** radio button. Enter the name of your Pulumi organization. Then click **Continue**. +9. In the **Configure provider attributes** section, provide the value of `assertion.sub` in the **OIDC 1** field. Then click **Save**. + +## Configure a Service Account + +Once you have created your workload identity pool and provider, you will be directed to the pool details page. If you already have an appropriate service account created, skip ahead to the steps found in the [Grant access to the service account](/docs/pulumi-cloud/oidc/provider/gcp/#grant-access-to-the-service-account) section. Otherwise, continue through the steps below to create a new one. + +### Create a new service account + +1. Navigate to the [Service Accounts](https://console.cloud.google.com/projectselector2/iam-admin/serviceaccounts) page. +2. Select your Google Cloud project. +3. Click "Create Service Account". +4. Enter a value for the **Service account name** field. Then click **Create And Continue** + * The **Service account ID** field will auto-populate based on this value. +5. In the **Grant this service account access to project** section, select the role(s) that provides the relevant access to your Pulumi service. Then click **Continue**. +6. Leave the values in the next section blank and click **Done**. + +### Grant access to the service account + +1. In your workload identity pool's details page, click the **Grant Access** button. +2. In the **Select service account** dropdown, select the desired service account to associate with the pool. +3. Under the **Select principals** section, click the **Only identities matching the filter** radio button. +4. In the **Attribute name** dropdown, select **Subject**. +5. In the **Attribute value** field, provide a valid subject claim (see examples at the end of this section). Then click **Save**. + +Make a note of the project ID, workload identity pool ID, provider ID, and service account email address from the previous steps. These will be necessary to enable OIDC for your service. + +### Subject claim examples + +To enable valid operations on a specific stack, Google federated credentials require an exact match on the OIDC token subject claim. Unfortunately, the subject identifier does *not* currently allow wildcards. Therefore, you must create credentials for each permutation of the subject claim that is possible for the stack. + +For example, to enable all of the valid operations on a stack named `dev` of the `core` project in the `contoso` organization, you would need to create credentials for each of the following subject identifiers: + +* `pulumi:deploy:org:contoso:project:core:stack:dev:operation:preview:scope:write` +* `pulumi:deploy:org:contoso:project:core:stack:dev:operation:update:scope:write` +* `pulumi:deploy:org:contoso:project:core:stack:dev:operation:refresh:scope:write` +* `pulumi:deploy:org:contoso:project:core:stack:dev:operation:destroy:scope:write` + +## Configure OIDC in the Pulumi Console + +{{% notes "info" %}} +In addition to the Pulumi Console, deployment settings including OIDC can be configured for a stack using the [pulumiservice.DeploymentSettings](https://www.pulumi.com/registry/packages/pulumiservice/api-docs/deploymentsettings/) resource or via the [REST API](/docs/pulumi-cloud/deployments/api/#patchsettings). +{{% /notes %}} + +1. Navigate to your stack in the Pulumi Console. +2. Open the stack's "Settings" tab. +3. Choose the "Deploy" panel. +4. Under the "OpenID Connect" header, toggle "Enable Google Cloud Integration". +5. Enter the numerical ID of your Google Cloud project in the "Project Number" field. +6. Enter the workload pool ID, identity provider ID, and service account email address in the "Workload Pool ID", "Identity Provider ID", and "Service Account Email Address" fields. +7. If desired, enter the stack's Google Cloud region in the "Region" field. This is typically unnecessary. +8. If you would like to constrain the duration of the temporary Google Cloud credentials, enter a duration in the form "XhYmZs" in the "Session Duration" field. +9. Click the "Save deployment configuration" button. + +With this configuration, each deployment of this stack will attempt to exchange the deployment's OIDC token for Google Cloud credentials using the specified federated identity prior to running any pre-commands or Pulumi operations. The fetched credentials are published as a credential configuration in the `GOOGLE_CREDENTIALS` environment variable. The raw OIDC token is also available for advanced scenarios in the `PULUMI_OIDC_TOKEN` environment variable and the `/mnt/pulumi/pulumi.oidc` file. diff --git a/content/what-is/resolve-list-buckets-expired-token.md b/content/what-is/resolve-list-buckets-expired-token.md index bbc12295c891..4dc5f5919c45 100644 --- a/content/what-is/resolve-list-buckets-expired-token.md +++ b/content/what-is/resolve-list-buckets-expired-token.md @@ -52,7 +52,7 @@ Logged in to pulumi.com as … Pulumi ESC offers you the ability to manually set your credentials as secrets in your Pulumi ESC environment files. When it comes to something like OIDC configuration, a more secure and efficient alternative is to leverage yet another great feature of Pulumi ESC: dynamic credentials. -This service can dynamically generate credentials on your behalf each time you need to interact with your AWS environments. To do so, follow the steps in the [guide for configuring OIDC between Pulumi and AWS](/docs/pulumi-cloud/oidc/provider/aws/). Make sure that the IAM role you create has sufficient permissions to perform S3 actions. +This service can dynamically generate credentials on your behalf each time you need to interact with your AWS environments. To do so, follow the steps in the [guide for configuring OIDC between Pulumi and AWS](/docs/esc/environments/configuring-oidc/aws/). Make sure that the IAM role you create has sufficient permissions to perform S3 actions. ### Step 3: Create a new Pulumi ESC environment diff --git a/content/what-is/resolve-list-buckets-invalid-access-key-id.md b/content/what-is/resolve-list-buckets-invalid-access-key-id.md index 1f938d51dcfd..2438824b697f 100644 --- a/content/what-is/resolve-list-buckets-invalid-access-key-id.md +++ b/content/what-is/resolve-list-buckets-invalid-access-key-id.md @@ -52,7 +52,7 @@ Logged in to pulumi.com as … Pulumi ESC offers you the ability to manually set your credentials as secrets in your Pulumi ESC environment files. When it comes to something like OIDC configuration, a more secure and efficient alternative is to leverage yet another great feature of Pulumi ESC: dynamic credentials. -This service can dynamically generate credentials on your behalf each time you need to interact with your AWS environments. To do so, follow the steps in the [guide for configuring OIDC between Pulumi and AWS](/docs/pulumi-cloud/oidc/provider/aws/). Make sure that the IAM role you create has sufficient permissions to perform S3 actions. +This service can dynamically generate credentials on your behalf each time you need to interact with your AWS environments. To do so, follow the steps in the [guide for configuring OIDC between Pulumi and AWS](/docs/esc/environments/configuring-oidc/aws/). Make sure that the IAM role you create has sufficient permissions to perform S3 actions. ### Step 3: Create a new Pulumi ESC environment diff --git a/content/what-is/resolve-list-buckets-invalid-client-token-id.md b/content/what-is/resolve-list-buckets-invalid-client-token-id.md index 317a56b0d37f..e55742dbc425 100644 --- a/content/what-is/resolve-list-buckets-invalid-client-token-id.md +++ b/content/what-is/resolve-list-buckets-invalid-client-token-id.md @@ -52,7 +52,7 @@ Logged in to pulumi.com as … Pulumi ESC offers you the ability to manually set your credentials as secrets in your Pulumi ESC environment files. When it comes to something like OIDC configuration, a more secure and efficient alternative is to leverage yet another great feature of Pulumi ESC: dynamic credentials. -This service can dynamically generate credentials on your behalf each time you need to interact with your AWS environments. To do so, follow the steps in the [guide for configuring OIDC between Pulumi and AWS](/docs/pulumi-cloud/oidc/provider/aws/). Make sure that the IAM role you create has sufficient permissions to perform S3 actions. +This service can dynamically generate credentials on your behalf each time you need to interact with your AWS environments. To do so, follow the steps in the [guide for configuring OIDC between Pulumi and AWS](/docs/esc/environments/configuring-oidc/aws/). Make sure that the IAM role you create has sufficient permissions to perform S3 actions. ### Step 3: Create a new Pulumi ESC environment diff --git a/content/what-is/resolve-list-buckets-signature-does-not-match.md b/content/what-is/resolve-list-buckets-signature-does-not-match.md index fd0bbfcbb995..92a2fa654cda 100644 --- a/content/what-is/resolve-list-buckets-signature-does-not-match.md +++ b/content/what-is/resolve-list-buckets-signature-does-not-match.md @@ -52,7 +52,7 @@ Logged in to pulumi.com as … Pulumi ESC offers you the ability to manually set your credentials as secrets in your Pulumi ESC environment files. When it comes to something like OIDC configuration, a more secure and efficient alternative is to leverage yet another great feature of Pulumi ESC: dynamic credentials. -This service can dynamically generate credentials on your behalf each time you need to interact with your AWS environments. To do so, follow the steps in the [guide for configuring OIDC between Pulumi and AWS](/docs/pulumi-cloud/oidc/provider/aws/). Make sure that the IAM role you create has sufficient permissions to perform S3 actions. +This service can dynamically generate credentials on your behalf each time you need to interact with your AWS environments. To do so, follow the steps in the [guide for configuring OIDC between Pulumi and AWS](/docs/esc/environments/configuring-oidc/aws/). Make sure that the IAM role you create has sufficient permissions to perform S3 actions. ### Step 3: Create a new Pulumi ESC environment diff --git a/content/what-is/resolve-unable-to-locate-credentials.md b/content/what-is/resolve-unable-to-locate-credentials.md index fa246419ba01..138603a8ca23 100644 --- a/content/what-is/resolve-unable-to-locate-credentials.md +++ b/content/what-is/resolve-unable-to-locate-credentials.md @@ -52,7 +52,7 @@ Logged in to pulumi.com as … Pulumi ESC offers you the ability to manually set your credentials as secrets in your Pulumi ESC environment files. When it comes to something like OIDC configuration, a more secure and efficient alternative is to leverage yet another great feature of Pulumi ESC: dynamic credentials. -This service can dynamically generate credentials on your behalf each time you need to interact with your AWS environments. To do so, follow the steps in the [guide for configuring OIDC between Pulumi and AWS](/docs/pulumi-cloud/oidc/provider/aws/). Make sure that the IAM role you create has sufficient permissions to perform S3 actions. +This service can dynamically generate credentials on your behalf each time you need to interact with your AWS environments. To do so, follow the steps in the [guide for configuring OIDC between Pulumi and AWS](/docs/esc/environments/configuring-oidc/aws/). Make sure that the IAM role you create has sufficient permissions to perform S3 actions. ### Step 3: Create a new Pulumi ESC environment diff --git a/content/what-is/run-aws-cloudwatch-get-metric-data-with-dynamic-credentials.md b/content/what-is/run-aws-cloudwatch-get-metric-data-with-dynamic-credentials.md index bf8856e97790..bd8c9af9fa26 100644 --- a/content/what-is/run-aws-cloudwatch-get-metric-data-with-dynamic-credentials.md +++ b/content/what-is/run-aws-cloudwatch-get-metric-data-with-dynamic-credentials.md @@ -54,7 +54,7 @@ Logged in to pulumi.com as … Pulumi ESC allows you to manually set your credentials as secrets in your Pulumi ESC environment files. When it comes to something like OIDC configuration, a more secure and efficient alternative is to leverage yet another great feature of Pulumi ESC: dynamic credentials. -This service can dynamically generate credentials on your behalf whenever you interact with your AWS environments. To do so, follow the [guide for configuring OIDC between Pulumi and AWS](/docs/pulumi-cloud/oidc/provider/aws/). Ensure the IAM role you create has sufficient permissions to perform the AWS CloudWatch actions. +This service can dynamically generate credentials on your behalf whenever you interact with your AWS environments. To do so, follow the [guide for configuring OIDC between Pulumi and AWS](/docs/esc/environments/configuring-oidc/aws/). Ensure the IAM role you create has sufficient permissions to perform the AWS CloudWatch actions. ### Step 3: Create a new Pulumi ESC environment diff --git a/content/what-is/run-aws-dynamodb-list-tables-with-dynamic-credentials.md b/content/what-is/run-aws-dynamodb-list-tables-with-dynamic-credentials.md index 532c774a9e2a..413745294621 100644 --- a/content/what-is/run-aws-dynamodb-list-tables-with-dynamic-credentials.md +++ b/content/what-is/run-aws-dynamodb-list-tables-with-dynamic-credentials.md @@ -54,7 +54,7 @@ Logged in to pulumi.com as … Pulumi ESC allows you to manually set your credentials as secrets in your Pulumi ESC environment files. When it comes to something like OIDC configuration, a more secure and efficient alternative is to leverage yet another great feature of Pulumi ESC: dynamic credentials. -This service can dynamically generate credentials on your behalf whenever you interact with your AWS environments. To do so, follow the [guide for configuring OIDC between Pulumi and AWS](/docs/pulumi-cloud/oidc/provider/aws/). Ensure the IAM role you create has sufficient permissions to perform the AWS DynamoDB actions. +This service can dynamically generate credentials on your behalf whenever you interact with your AWS environments. To do so, follow the [guide for configuring OIDC between Pulumi and AWS](/docs/esc/environments/configuring-oidc/aws/). Ensure the IAM role you create has sufficient permissions to perform the AWS DynamoDB actions. ### Step 3: Create a new Pulumi ESC environment diff --git a/content/what-is/run-aws-ec2-describe-instances-with-dynamic-credentials.md b/content/what-is/run-aws-ec2-describe-instances-with-dynamic-credentials.md index fc2df5997a90..4303c7c362e1 100644 --- a/content/what-is/run-aws-ec2-describe-instances-with-dynamic-credentials.md +++ b/content/what-is/run-aws-ec2-describe-instances-with-dynamic-credentials.md @@ -54,7 +54,7 @@ Logged in to pulumi.com as … Pulumi ESC offers you the ability to manually set your credentials as secrets in your Pulumi ESC environment files. When it comes to something like OIDC configuration, a more secure and efficient alternative is to leverage yet another great feature of Pulumi ESC: dynamic credentials. -This service can dynamically generate credentials on your behalf each time you need to interact with your AWS environments. To do so, follow the steps in the [guide for configuring OIDC between Pulumi and AWS](/docs/pulumi-cloud/oidc/provider/aws/). Make sure that the IAM role you create has sufficient permissions to perform S3 actions. +This service can dynamically generate credentials on your behalf each time you need to interact with your AWS environments. To do so, follow the steps in the [guide for configuring OIDC between Pulumi and AWS](/docs/esc/environments/configuring-oidc/aws/). Make sure that the IAM role you create has sufficient permissions to perform S3 actions. ### Step 3: Create a new Pulumi ESC environment diff --git a/content/what-is/run-aws-ec2-start-instances-with-dynamic-credentials.md b/content/what-is/run-aws-ec2-start-instances-with-dynamic-credentials.md index 2e01db36dec0..d372add3fff4 100644 --- a/content/what-is/run-aws-ec2-start-instances-with-dynamic-credentials.md +++ b/content/what-is/run-aws-ec2-start-instances-with-dynamic-credentials.md @@ -54,7 +54,7 @@ Logged in to pulumi.com as … Pulumi ESC offers you the ability to manually set your credentials as secrets in your Pulumi ESC environment files. When it comes to something like OIDC configuration, a more secure and efficient alternative is to leverage yet another great feature of Pulumi ESC: dynamic credentials. -This service can dynamically generate credentials on your behalf each time you need to interact with your AWS environments. To do so, follow the steps in the [guide for configuring OIDC between Pulumi and AWS](/docs/pulumi-cloud/oidc/provider/aws/). Make sure that the IAM role you create has sufficient permissions to perform EC2 actions. +This service can dynamically generate credentials on your behalf each time you need to interact with your AWS environments. To do so, follow the steps in the [guide for configuring OIDC between Pulumi and AWS](/docs/esc/environments/configuring-oidc/aws/). Make sure that the IAM role you create has sufficient permissions to perform EC2 actions. ### Step 3: Create a new Pulumi ESC environment diff --git a/content/what-is/run-aws-ec2-stop-instances-with-dynamic-credentials.md b/content/what-is/run-aws-ec2-stop-instances-with-dynamic-credentials.md index 59740a8118b4..0db775f9b148 100644 --- a/content/what-is/run-aws-ec2-stop-instances-with-dynamic-credentials.md +++ b/content/what-is/run-aws-ec2-stop-instances-with-dynamic-credentials.md @@ -54,7 +54,7 @@ Logged in to pulumi.com as … Pulumi ESC offers you the ability to manually set your credentials as secrets in your Pulumi ESC environment files. When it comes to something like OIDC configuration, a more secure and efficient alternative is to leverage yet another great feature of Pulumi ESC: dynamic credentials. -This service can dynamically generate credentials on your behalf each time you need to interact with your AWS environments. To do so, follow the steps in the [guide for configuring OIDC between Pulumi and AWS](/docs/pulumi-cloud/oidc/provider/aws/). Make sure that the IAM role you create has sufficient permissions to perform EC2 actions. +This service can dynamically generate credentials on your behalf each time you need to interact with your AWS environments. To do so, follow the steps in the [guide for configuring OIDC between Pulumi and AWS](/docs/esc/environments/configuring-oidc/aws/). Make sure that the IAM role you create has sufficient permissions to perform EC2 actions. ### Step 3: Create a new Pulumi ESC environment diff --git a/content/what-is/run-aws-iam-list-users-with-dynamic-credentials.md b/content/what-is/run-aws-iam-list-users-with-dynamic-credentials.md index 78f6c24f3123..150e50bc5274 100644 --- a/content/what-is/run-aws-iam-list-users-with-dynamic-credentials.md +++ b/content/what-is/run-aws-iam-list-users-with-dynamic-credentials.md @@ -54,7 +54,7 @@ Logged in to pulumi.com as … Pulumi ESC offers you the ability to manually set your credentials as secrets in your Pulumi ESC environment files. When it comes to something like OIDC configuration, a more secure and efficient alternative is to leverage yet another great feature of Pulumi ESC: dynamic credentials. -This service can dynamically generate credentials on your behalf each time you need to interact with your AWS environments. To do so, follow the steps in the [guide for configuring OIDC between Pulumi and AWS](/docs/pulumi-cloud/oidc/provider/aws/). Make sure that the IAM role you create has sufficient permissions to perform IAM actions. +This service can dynamically generate credentials on your behalf each time you need to interact with your AWS environments. To do so, follow the steps in the [guide for configuring OIDC between Pulumi and AWS](/docs/esc/environments/configuring-oidc/aws/). Make sure that the IAM role you create has sufficient permissions to perform IAM actions. ### Step 3: Create a new Pulumi ESC environment diff --git a/content/what-is/run-aws-lambda-list-functions-with-dynamic-credentials.md b/content/what-is/run-aws-lambda-list-functions-with-dynamic-credentials.md index fec9a9d93c32..07183d62d407 100644 --- a/content/what-is/run-aws-lambda-list-functions-with-dynamic-credentials.md +++ b/content/what-is/run-aws-lambda-list-functions-with-dynamic-credentials.md @@ -54,7 +54,7 @@ Logged in to pulumi.com as … Pulumi ESC allows you to manually set your credentials as secrets in your Pulumi ESC environment files. When it comes to something like OIDC configuration, a more secure and efficient alternative is to leverage yet another great feature of Pulumi ESC: dynamic credentials. -This service can dynamically generate credentials on your behalf whenever you interact with your AWS environments. To do so, follow the [guide for configuring OIDC between Pulumi and AWS](/docs/pulumi-cloud/oidc/provider/aws/). Ensure the IAM role you create has sufficient permissions to perform the AWS Lambda actions. +This service can dynamically generate credentials on your behalf whenever you interact with your AWS environments. To do so, follow the [guide for configuring OIDC between Pulumi and AWS](/docs/esc/environments/configuring-oidc/aws/). Ensure the IAM role you create has sufficient permissions to perform the AWS Lambda actions. ### Step 3: Create a new Pulumi ESC environment diff --git a/content/what-is/run-aws-s3-cp-with-dynamic-credentials.md b/content/what-is/run-aws-s3-cp-with-dynamic-credentials.md index 3674d5d83766..e346105dfc64 100644 --- a/content/what-is/run-aws-s3-cp-with-dynamic-credentials.md +++ b/content/what-is/run-aws-s3-cp-with-dynamic-credentials.md @@ -54,7 +54,7 @@ Logged in to pulumi.com as … Pulumi ESC offers you the ability to manually set your credentials as secrets in your Pulumi ESC environment files. When it comes to something like OIDC configuration, a more secure and efficient alternative is to leverage yet another great feature of Pulumi ESC: dynamic credentials. -This service can dynamically generate credentials on your behalf each time you need to interact with your AWS environments. To do so, follow the steps in the [guide for configuring OIDC between Pulumi and AWS](/docs/pulumi-cloud/oidc/provider/aws/). Make sure that the IAM role you create has sufficient permissions to perform S3 actions. +This service can dynamically generate credentials on your behalf each time you need to interact with your AWS environments. To do so, follow the steps in the [guide for configuring OIDC between Pulumi and AWS](/docs/esc/environments/configuring-oidc/aws/). Make sure that the IAM role you create has sufficient permissions to perform S3 actions. ### Step 3: Create a new Pulumi ESC environment diff --git a/content/what-is/run-aws-s3-ls-with-dynamic-credentials.md b/content/what-is/run-aws-s3-ls-with-dynamic-credentials.md index d1c6daa6fb4a..badafa2949df 100644 --- a/content/what-is/run-aws-s3-ls-with-dynamic-credentials.md +++ b/content/what-is/run-aws-s3-ls-with-dynamic-credentials.md @@ -54,7 +54,7 @@ Logged in to pulumi.com as … Pulumi ESC offers you the ability to manually set your credentials as secrets in your Pulumi ESC environment files. When it comes to something like OIDC configuration, a more secure and efficient alternative is to leverage yet another great feature of Pulumi ESC: dynamic credentials. -This service can dynamically generate credentials on your behalf each time you need to interact with your AWS environments. To do so, follow the steps in the [guide for configuring OIDC between Pulumi and AWS](/docs/pulumi-cloud/oidc/provider/aws/). Make sure that the IAM role you create has sufficient permissions to perform S3 actions. +This service can dynamically generate credentials on your behalf each time you need to interact with your AWS environments. To do so, follow the steps in the [guide for configuring OIDC between Pulumi and AWS](/docs/esc/environments/configuring-oidc/aws/). Make sure that the IAM role you create has sufficient permissions to perform S3 actions. ### Step 3: Create a new Pulumi ESC environment diff --git a/content/what-is/run-aws-s3-sync-with-dynamic-credentials.md b/content/what-is/run-aws-s3-sync-with-dynamic-credentials.md index 9e03d5b76306..ba08c77e1195 100644 --- a/content/what-is/run-aws-s3-sync-with-dynamic-credentials.md +++ b/content/what-is/run-aws-s3-sync-with-dynamic-credentials.md @@ -54,7 +54,7 @@ Logged in to pulumi.com as … Pulumi ESC allows you to manually set your credentials as secrets in your Pulumi ESC environment files. When it comes to something like OIDC configuration, a more secure and efficient alternative is to leverage yet another great feature of Pulumi ESC: dynamic credentials. -This service can dynamically generate credentials on your behalf whenever you interact with your AWS environments. To do so, follow the [guide for configuring OIDC between Pulumi and AWS](/docs/pulumi-cloud/oidc/provider/aws/). Ensure the IAM role you create has sufficient permissions to perform the AWS S3 actions. +This service can dynamically generate credentials on your behalf whenever you interact with your AWS environments. To do so, follow the [guide for configuring OIDC between Pulumi and AWS](/docs/esc/environments/configuring-oidc/aws/). Ensure the IAM role you create has sufficient permissions to perform the AWS S3 actions. ### Step 3: Create a new Pulumi ESC environment diff --git a/content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md b/content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md index 776fadf7f47e..51b1819d519e 100644 --- a/content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md +++ b/content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md @@ -54,7 +54,7 @@ Logged in to pulumi.com as … Pulumi ESC offers you the ability to manually set your credentials as secrets in your Pulumi ESC environment files. When it comes to something like OIDC configuration, a more secure and efficient alternative is to leverage yet another great feature of Pulumi ESC: dynamic credentials. -This service can dynamically generate credentials on your behalf each time you need to interact with your AWS environments. To do so, follow the steps in the [guide for configuring OIDC between Pulumi and AWS](/docs/pulumi-cloud/oidc/provider/aws/). Make sure that the IAM role you create has sufficient permissions to perform STS actions. +This service can dynamically generate credentials on your behalf each time you need to interact with your AWS environments. To do so, follow the steps in the [guide for configuring OIDC between Pulumi and AWS](/docs/esc/environments/configuring-oidc/aws/). Make sure that the IAM role you create has sufficient permissions to perform STS actions. ### Step 3: Create a new Pulumi ESC environment diff --git a/content/what-is/what-is-a-circleci-secret.md b/content/what-is/what-is-a-circleci-secret.md index 58c08b6721d6..434c048b5856 100644 --- a/content/what-is/what-is-a-circleci-secret.md +++ b/content/what-is/what-is-a-circleci-secret.md @@ -129,7 +129,7 @@ Here are five best practices for managing CircleCI secrets: - **Adopt context-based management:** Organize your secrets using [contexts](https://circleci.com/docs/contexts/) in CircleCI. Group related secrets together in a context, making managing access controls and permissions easier. Contexts ensure that only authorized personnel can access specific secrets based on their roles or responsibilities. - **Use fine-grained access controls:** Set up fine-grained access controls and permissions for each context to restrict who can manage and utilize the secrets within that context. By carefully assigning permissions, you reduce the risk of unauthorized access to sensitive information, enhancing the overall security of your CI/CD process. - **Avoid hardcoding secrets in configuration files:** Refrain from hardcoding secret values directly in your configuration files. Instead, reference secrets using the `$SECRET_NAME` syntax. This approach keeps sensitive information separate from the codebase, minimizing the risk of accidental exposure and making it easier to update or rotate secrets without modifying the code. -- **Rotate secrets:** Implement a regular rotation schedule for your secrets, especially for long-lived API keys or credentials. CircleCI provides an easy way to update secrets without modifying the configuration files. Note that OIDC can eliminate the need to store long-lived secrets in CircleCI. Learn [how to use OIDC with Pulumi ESC](/docs/pulumi-cloud/oidc/#configuring-openid-connect-for-your-cloud-provider) to connect to AWS, GCP, ECR, and more. +- **Rotate secrets:** Implement a regular rotation schedule for your secrets, especially for long-lived API keys or credentials. CircleCI provides an easy way to update secrets without modifying the configuration files. Note that OIDC can eliminate the need to store long-lived secrets in CircleCI. Learn [how to use OIDC with Pulumi ESC](/docs/esc/environments/configuring-oidc/#configuring-openid-connect-for-your-cloud-provider) to connect to AWS, GCP, ECR, and more. - **Perform auditing and monitoring:** Implement auditing and monitoring mechanisms to track changes and usage of secrets within your CI/CD pipeline. CircleCI provides tools and logs that enable you to monitor when and how secrets are accessed. Check out [more security recommendations](https://circleci.com/docs/security-recommendations/) provided by CircleCI.