From 187fa600b4a1d88a8069e4402db65a0a4d5749fa Mon Sep 17 00:00:00 2001 From: Boris Schlosser Date: Wed, 19 Nov 2025 14:03:06 +0100 Subject: [PATCH 1/4] BYOK and improved crypto capabilities for self-hosted --- .../administration/self-hosting/changelog.md | 8 +++++ .../self-hosting/components/api.md | 29 +++++++++++++++---- 2 files changed, 32 insertions(+), 5 deletions(-) diff --git a/content/docs/administration/self-hosting/changelog.md b/content/docs/administration/self-hosting/changelog.md index ba527ab340ad..34ee9db9b7b0 100644 --- a/content/docs/administration/self-hosting/changelog.md +++ b/content/docs/administration/self-hosting/changelog.md @@ -22,6 +22,14 @@ Self-hosting is only available with **Pulumi Business Critical**. If you would l ## 2025 +### November + +* [Bring your own keys (BYOK) with Pulumi ESC](https://www.pulumi.com/blog/bring-your-own-keys-with-pulumi-esc/) and improved crypto operation capabilities + +{{< notes type="warning" >}} +Breaking Change: Ensure your encryption service permissions are up-to-date with the instructions given [here](/docs/administration/self-hosting/components/api/#encryption-services). +{{< /notes >}} + ### March * [Enhanced GitLab integration support](https://www.pulumi.com/blog/gitlab-better-than-ever/) diff --git a/content/docs/administration/self-hosting/components/api.md b/content/docs/administration/self-hosting/components/api.md index 436590936443..4265dde04c26 100644 --- a/content/docs/administration/self-hosting/components/api.md +++ b/content/docs/administration/self-hosting/components/api.md @@ -129,6 +129,16 @@ You only need to configure one of the support services. ### AWS KMS +#### Mandatory key actions + +The key's key policy in AWS KMS must define the following actions. Otherwise, the service will fail to start or will not be able to +run crypto operations: + +* `kms:Encrypt` +* `kms:Decrypt` +* `kms:GenerateDataKey` +* `kms:GenerateDataKeyWithoutPlaintext` + | Variable Name | Description | |----------------|---------------------------------------------------| | PULUMI_KMS_KEY | ARN for the AWS KMS customer master key resource. | @@ -141,11 +151,20 @@ active. The API service never has access to the private key material of the key uses the public key for encryption. The API will request KeyVault to decrypt a cipher text. {{% /notes %}} -| Variable Name | Description | -|-----------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| PULUMI_AZURE_KV_URI | Azure KeyVault URI. For example, `https://.vault.azure.net`. | -| PULUMI_AZURE_KV_KEY_NAME | The name of the key in KeyVault. The key must be an RSA key type. We recommend a key size of 2048 for most cases. The key operations must support `Encrypt` and `Decrypt`. Otherwise, the service will fail to start. | -| PULUMI_AZURE_KV_KEY_VERSION | The version of the key that the service should use. Note: All previous versions of the key must remain enabled. | +#### Mandatory key operations / permissions + +The key in Azure KeyVault must support and allow the following operations. Otherwise, the service will fail to start or +will not be able to run crypto operations: + +* `Encrypt` +* `Decrypt` +* `Sign` +* `Verify` + +| Variable Name | Description | +|--------------------------|-------------------------------------------------------------------------------------------------------------------| +| PULUMI_AZURE_KV_URI | Azure KeyVault URI. For example, `https://.vault.azure.net`. | +| PULUMI_AZURE_KV_KEY_NAME | The name of the key in KeyVault. The key must be an RSA key type. We recommend a key size of 2048 for most cases. | ## Cloud Provider Authentication From 8ba8cd13464ddc82b07a6b0c8b40e569e3e9767d Mon Sep 17 00:00:00 2001 From: Boris Schlosser Date: Wed, 19 Nov 2025 14:17:29 +0100 Subject: [PATCH 2/4] Claude --- content/docs/administration/self-hosting/changelog.md | 2 +- .../docs/administration/self-hosting/components/api.md | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/content/docs/administration/self-hosting/changelog.md b/content/docs/administration/self-hosting/changelog.md index 34ee9db9b7b0..9db84bc41b71 100644 --- a/content/docs/administration/self-hosting/changelog.md +++ b/content/docs/administration/self-hosting/changelog.md @@ -27,7 +27,7 @@ Self-hosting is only available with **Pulumi Business Critical**. If you would l * [Bring your own keys (BYOK) with Pulumi ESC](https://www.pulumi.com/blog/bring-your-own-keys-with-pulumi-esc/) and improved crypto operation capabilities {{< notes type="warning" >}} -Breaking Change: Ensure your encryption service permissions are up-to-date with the instructions given [here](/docs/administration/self-hosting/components/api/#encryption-services). +Breaking Change: Ensure your [AWS KMS](/docs/administration/self-hosting/components/api/#aws-kms) or [Azure Key Vault](/docs/administration/self-hosting/components/api/#azure-key-vault) encryption service permissions are up-to-date. {{< /notes >}} ### March diff --git a/content/docs/administration/self-hosting/components/api.md b/content/docs/administration/self-hosting/components/api.md index 4265dde04c26..868f76923735 100644 --- a/content/docs/administration/self-hosting/components/api.md +++ b/content/docs/administration/self-hosting/components/api.md @@ -131,8 +131,8 @@ You only need to configure one of the support services. #### Mandatory key actions -The key's key policy in AWS KMS must define the following actions. Otherwise, the service will fail to start or will not be able to -run crypto operations: +Define the following actions in the key's key policy in AWS KMS. Otherwise, the service will fail to start or will not +be able to run crypto operations: * `kms:Encrypt` * `kms:Decrypt` @@ -151,10 +151,10 @@ active. The API service never has access to the private key material of the key uses the public key for encryption. The API will request KeyVault to decrypt a cipher text. {{% /notes %}} -#### Mandatory key operations / permissions +#### Mandatory key operations or permissions -The key in Azure KeyVault must support and allow the following operations. Otherwise, the service will fail to start or -will not be able to run crypto operations: +Configure the key in Azure KeyVault to support and allow the following operations. Otherwise, the service will fail to +start or will not be able to run crypto operations: * `Encrypt` * `Decrypt` From 8536da16b85aa8c3804ff7deb7d05d51eb6b1259 Mon Sep 17 00:00:00 2001 From: Boris Schlosser Date: Wed, 19 Nov 2025 14:41:43 +0100 Subject: [PATCH 3/4] Fixed link --- content/docs/administration/self-hosting/changelog.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/administration/self-hosting/changelog.md b/content/docs/administration/self-hosting/changelog.md index 9db84bc41b71..a0878312d475 100644 --- a/content/docs/administration/self-hosting/changelog.md +++ b/content/docs/administration/self-hosting/changelog.md @@ -27,7 +27,7 @@ Self-hosting is only available with **Pulumi Business Critical**. If you would l * [Bring your own keys (BYOK) with Pulumi ESC](https://www.pulumi.com/blog/bring-your-own-keys-with-pulumi-esc/) and improved crypto operation capabilities {{< notes type="warning" >}} -Breaking Change: Ensure your [AWS KMS](/docs/administration/self-hosting/components/api/#aws-kms) or [Azure Key Vault](/docs/administration/self-hosting/components/api/#azure-key-vault) encryption service permissions are up-to-date. +Breaking Change: Ensure your [AWS KMS](/docs/administration/self-hosting/components/api/#aws-kms) or [Azure KeyVault](/docs/administration/self-hosting/components/api/#azure-keyvault) encryption service permissions are up-to-date. {{< /notes >}} ### March From ee0a7cc6045e4141ea1835b3dfce8a0a78c2812e Mon Sep 17 00:00:00 2001 From: Boris Schlosser Date: Thu, 20 Nov 2025 10:37:54 +0100 Subject: [PATCH 4/4] Reviewer comments --- content/docs/administration/self-hosting/changelog.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/administration/self-hosting/changelog.md b/content/docs/administration/self-hosting/changelog.md index a0878312d475..1770e2aa660a 100644 --- a/content/docs/administration/self-hosting/changelog.md +++ b/content/docs/administration/self-hosting/changelog.md @@ -27,7 +27,7 @@ Self-hosting is only available with **Pulumi Business Critical**. If you would l * [Bring your own keys (BYOK) with Pulumi ESC](https://www.pulumi.com/blog/bring-your-own-keys-with-pulumi-esc/) and improved crypto operation capabilities {{< notes type="warning" >}} -Breaking Change: Ensure your [AWS KMS](/docs/administration/self-hosting/components/api/#aws-kms) or [Azure KeyVault](/docs/administration/self-hosting/components/api/#azure-keyvault) encryption service permissions are up-to-date. +Breaking Change: Ensure your permissions are up to date if you are using AWS KMS or Azure KeyVault [encryption services](/docs/administration/self-hosting/components/api/#encryption-services). {{< /notes >}} ### March