diff --git a/content/blog/esc-env-run-aws/index.md b/content/blog/esc-env-run-aws/index.md index 24d57aae8115..d96f87b778f1 100644 --- a/content/blog/esc-env-run-aws/index.md +++ b/content/blog/esc-env-run-aws/index.md @@ -141,7 +141,7 @@ values: The variables defined under the `environmentVariables` parameter above are the same environment variables that the AWS CLI uses if you were authenticating with something like the `aws configure` command. What the above configuration is doing is dynamically generating the credentials and projecting those credential values into your local environment. From there, the AWS CLI picks up those environment variables and runs the designated command. You can find out more about this provider definition and how it works in the Pulumi ESC documentation for [the AWS provider](https://www.pulumi.com/docs/pulumi-cloud/esc/providers/aws-login/#example) as well as the documentation for [projecting environment variables](https://www.pulumi.com/docs/pulumi-cloud/esc/environments/#projecting-environment-variables). -Scroll to the bottom of the page and click **Save**. +Click **Save**. {{< video title="Adding configuration to Pulumi ESC environment" src="https://www.pulumi.com/uploads/add-environment-config.mp4" autoplay="true" loop="true" >}} diff --git a/content/docs/esc/environments/configuring-oidc/_index.md b/content/docs/esc/environments/configuring-oidc/_index.md index 3e6d30dfc152..32e784c47c81 100644 --- a/content/docs/esc/environments/configuring-oidc/_index.md +++ b/content/docs/esc/environments/configuring-oidc/_index.md @@ -37,6 +37,7 @@ To configure OIDC for your cloud provider, refer to one of our guides: * [Configuring OIDC for AWS](/docs/esc/environments/configuring-oidc/aws/) * [Configuring OIDC for Azure](/docs/esc/environments/configuring-oidc/azure/) +* [Configuring OIDC for Doppler](/docs/esc/environments/configuring-oidc/doppler/) * [Configuring OIDC for Google Cloud](/docs/esc/environments/configuring-oidc/gcp/) * [Configuring OIDC for Infisical](/docs/esc/environments/configuring-oidc/infisical/) * [Configuring OIDC for Vault](/docs/esc/environments/configuring-oidc/vault/) diff --git a/content/docs/esc/environments/configuring-oidc/aws.md b/content/docs/esc/environments/configuring-oidc/aws.md index 6df6b651a1a7..8db761d7ff5d 100644 --- a/content/docs/esc/environments/configuring-oidc/aws.md +++ b/content/docs/esc/environments/configuring-oidc/aws.md @@ -98,7 +98,7 @@ To configure OIDC for Pulumi ESC, create a new environment in the [Pulumi Consol ``` 6. Replace `` with the value from the previous steps. -7. Scroll to the bottom of the page and click **Save**. +7. Click **Save**. You can validate that your configuration is working by running either of the following: diff --git a/content/docs/esc/environments/configuring-oidc/azure.md b/content/docs/esc/environments/configuring-oidc/azure.md index ad55101e329c..e4279e0e0e7f 100644 --- a/content/docs/esc/environments/configuring-oidc/azure.md +++ b/content/docs/esc/environments/configuring-oidc/azure.md @@ -8,7 +8,7 @@ menu: esc: name: Azure parent: esc-configuring-oidc - weight: 1 + weight: 2 --- This document outlines the steps required to configure Pulumi to use OpenID Connect to authenticate with Azure. OIDC in Azure uses [workload identity federation](https://learn.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation) to access Azure resources via a Microsoft Entra App. Access to the temporary credentials is authorized using federated credentials that validate the contents of the OIDC token issued by the Pulumi Cloud. @@ -98,7 +98,7 @@ To configure OIDC for Pulumi ESC, create a new environment in the [Pulumi Consol ``` 6. Replace ``, ``, and `` with the values from the previous steps. -7. Scroll to the bottom of the page and click **Save**. +7. Click **Save**. You can validate that your configuration is working by running either of the following: diff --git a/content/docs/esc/environments/configuring-oidc/doppler.md b/content/docs/esc/environments/configuring-oidc/doppler.md new file mode 100644 index 000000000000..c04242f1153f --- /dev/null +++ b/content/docs/esc/environments/configuring-oidc/doppler.md @@ -0,0 +1,178 @@ +--- +title_tag: Configure OpenID Connect for Doppler | Pulumi ESC +meta_desc: This page describes how to configure OIDC token exchange in Doppler for use with Pulumi +title: Doppler +h1: Configuring OpenID Connect for Doppler +meta_image: /images/docs/meta-images/docs-meta.png +menu: + esc: + name: Doppler + parent: esc-configuring-oidc + weight: 4 +--- + +This document outlines the steps required to configure Pulumi to use OpenID Connect to authenticate with Doppler. OIDC +in Doppler uses [service account identities](https://docs.doppler.com/docs/service-account-identities) to access +Doppler resources. Access to the temporary credentials is authorized using identities that validate the contents of +the OIDC token issued by the Pulumi Cloud. + +## Prerequisites + +* Your Doppler workplace must be on the Team or Enterprise plan in order to use service account identities. +* You must be an admin of your Doppler workplace to create and configure service account identities. + +{{< notes type="warning" >}} +Please note that this guide provides step-by-step instructions based on the official provider documentation which is +subject to change. For the most current and precise information, always refer to +the [official Doppler documentation](https://docs.doppler.com/docs/service-account-identities). +{{< /notes >}} + +## Creating a Service Account + +To create a new service account, in the navigation pane of the [Doppler dashboard](https://dashboard.doppler.com): + +1. Select **Team**, **Service Accounts** and then click **New Service Account**. +2. Provide a name for your service account (ex: `pulumi-esc-oidc-app`). +3. Click **Create**. +4. Select a **Role** for the service account or manually grant project access. + +## Add an Identity (OIDC Authentication) + +To add an identity to a service account: + +1. Navigate to the service account from **Team**, **Service Accounts** +2. Click **New Identity**. +3. Fill in the form fields as follows: + * **Discovery URL:** `https://api.pulumi.com/oidc`. + * **Audience:** This is different between Pulumi deployments and ESC. For Deployments this is only the name of your Pulumi organization. For ESC this is the name of your Pulumi organization prefixed with `doppler:` (e.g. `doppler:{org}`). + * **Subject:** `pulumi:environments:org::env:/` (see more examples at the end of this section). +4. Click **Create Identity**. +{{< notes type="info" >}} +For environments in the `default` project the audience will use just the Pulumi organization name. This is to +prevent regressions for legacy environments. +{{< /notes >}} + +After the Identity has been created, take note of the Identity ID. This value will be necessary when enabling OIDC for your service. + +## Configure ESC for OIDC + +To configure OIDC for Pulumi ESC, create a new environment in the [Pulumi Console](https://app.pulumi.com/). Make sure +that you have the correct organization selected in the left-hand navigation menu. Then: + +1. Click the **Environments** link. +2. Click the **Create environment** button. +3. Provide a project to create your new environment in and a name for your environment. + * This should be the same as the identifier provided in the subject claim of your federated credentials. +4. Click the **Create environment** button. +5. You will be presented with a split-pane view. Delete the default placeholder content in the editor and replace it + with the following code: + + ```yaml + values: + doppler: + login: + fn::open::doppler-login: + oidc: + identityId: + environmentVariables: + DOPPLER_TOKEN: ${doppler.login.accessToken} + ``` + +6. Replace `` with the value from the previous steps. +7. Click **Save**. + +You can validate that your configuration is working by running either of the following: + +* `esc open //` command of the [ESC CLI](/docs/esc-cli/) +* `pulumi env open //` command of the [Pulumi CLI](/docs/install/) + +Make sure to replace ``, ``, and `` with the values of your Pulumi +organization, project, and environment file respectively. You should see output similar to the following: + +```json +{ + "doppler": { + "login": { + "accessToken": "dp.said.XXX..." + } + }, + "environmentVariables": { + "DOPPLER_TOKEN": "dp.said.XXX..." + } +} +``` + +To learn more about how to set up and use the various providers in Pulumi ESC, please refer to +the [relevant Pulumi documentation](/docs/esc/integrations/) + +## Subject claim customization + +You can [customize](/docs/esc/environments/customizing-oidc-claims/) the subject claim in the OIDC token to control +which Pulumi environments or users are allowed to assume a given identity. This allows for more granular access control +than the default organization-level permissions. + +This is done by configuring the `subjectAttributes` setting. It expects an array of keys to include in it: + +* `rootEnvironment.name`: the name of the environment that is opened first. This root environment in turn opens other + imported environments +* `currentEnvironment.name`: the full name (including the project) of the environment where the ESC login provider and + `subjectAttributes` are defined +* `pulumi.user.login`: the login identifier of the user opening the environment +* `pulumi.organization.login`: the login identifier of the organization + +The subject always contains the following prefix `pulumi:environments:pulumi.organization.login:{ORGANIZATION_NAME}` and +every key configured will be appended to this prefix. For example, consider the following environment: + +```yaml +values: + doppler: + login: + fn::open::doppler-login: + oidc: + identityId: + subjectAttributes: + - currentEnvironment.name + - pulumi.user.login +``` + +The subject will be +`pulumi:environments:pulumi.organization.login:contoso:currentEnvironment.name:project/development:pulumi.user.login:userLogin`. +Note how the keys and values are appended along with the prefix. + +{{< notes type="warning" >}} + +If not customized, the subject claim has the following format by default: + +`pulumi:environments:org::env:/` + +{{< /notes >}} + +{{< notes type="warning" >}} + +For environments within the legacy `default` project, the project will **not** be present in the subject to preserve +backwards compatibility. The format of the subject claim when `subjectAttributes` are not set is +`pulumi:environments:org::env:`. If `currentEnvironment.name` is used as a custom +subject attribute it will resolve to only the environment name (e.g. +`pulumi:environments:pulumi.organization.login:contoso:currentEnvironment.name:development:pulumi.user.login:personA`). +Due to this it is recommended to move your environments out of the `default` project for best security practices. + +{{< /notes >}} + +## Subject claim example + +Here is an example of a valid, not customized subject claim for the `project/development` environment of the `contoso` +organization: + +* `pulumi:environments:org:contoso:env:project/development` + +{{< notes type="warning" >}} + +If you are integrating Pulumi ESC with Pulumi IaC, the default subject identifier of the ESC environment will not work +at this time. There is a [known issue](https://github.com/pulumi/pulumi/issues/14509) with the subject identifier's +value sent to Doppler from Pulumi. + +Use 'subjectAttributes' to customize the subject identifier to work with Pulumi IaC. Alternatively, you can use this +syntax: `pulumi:environments:org:contoso:env:` when configuring the subject claim in your cloud provider account. +Make sure to replace `contoso` with the name of your Pulumi organization and use the literal value of `` as shown. + +{{< /notes >}} diff --git a/content/docs/esc/environments/configuring-oidc/gcp.md b/content/docs/esc/environments/configuring-oidc/gcp.md index 0ed2a4585113..28d01d1e5275 100644 --- a/content/docs/esc/environments/configuring-oidc/gcp.md +++ b/content/docs/esc/environments/configuring-oidc/gcp.md @@ -8,7 +8,7 @@ menu: esc: name: Google Cloud parent: esc-configuring-oidc - weight: 1 + weight: 5 --- This document outlines the steps required to configure Pulumi to use OpenID Connect to authenticate with Google Cloud. OIDC in Google Cloud uses [workload identity federation](https://cloud.google.com/iam/docs/workload-identity-federation) to allow access to resources. Access to the resources is authorized using attribute conditions that validate the contents of the OIDC token issued by the Pulumi Cloud. @@ -89,7 +89,7 @@ To configure OIDC for Pulumi ESC, create a new environment in the [Pulumi Consol ``` 6. Replace ``, ``, ``, and `` with the values from the previous steps. -7. Scroll to the bottom of the page and click **Save**. +7. Click **Save**. You can validate that your configuration is working by running either of the following: diff --git a/content/docs/esc/environments/configuring-oidc/infisical.md b/content/docs/esc/environments/configuring-oidc/infisical.md index a3f30ca0db08..7631791ef1ee 100644 --- a/content/docs/esc/environments/configuring-oidc/infisical.md +++ b/content/docs/esc/environments/configuring-oidc/infisical.md @@ -8,7 +8,7 @@ menu: esc: name: Infisical parent: esc-configuring-oidc - weight: 1 + weight: 6 --- This document outlines the steps required to configure Pulumi to use OpenID Connect to authenticate with Infisical. OIDC @@ -35,11 +35,7 @@ In the navigation pane of the [Infisical app](https://app.infisical.com): 3. Select a **Role** for the identity. 4. Click **Create**. -After the Identity has been created, take note of the following details: - -* Identity ID - -This value will be necessary when enabling OIDC for your service. +After the Identity has been created, take note of the Identity ID. This value will be necessary when enabling OIDC for your service. ## Add OIDC Authentication @@ -84,7 +80,7 @@ that you have the correct organization selected in the left-hand navigation menu ``` 6. Replace `` with the value from the previous steps. -7. Scroll to the bottom of the page and click **Save**. +7. Click **Save**. You can validate that your configuration is working by running either of the following: diff --git a/content/docs/esc/environments/configuring-oidc/vault.md b/content/docs/esc/environments/configuring-oidc/vault.md index 5ce9e04b7ddb..e861eb4840ff 100644 --- a/content/docs/esc/environments/configuring-oidc/vault.md +++ b/content/docs/esc/environments/configuring-oidc/vault.md @@ -8,7 +8,7 @@ menu: esc: name: Vault parent: esc-configuring-oidc - weight: 4 + weight: 7 aliases: - /docs/pulumi-cloud/oidc/provider/vault - /docs/pulumi-cloud/oidc/provider/vault/ @@ -156,7 +156,7 @@ To configure OIDC for Pulumi ESC, create a new environment in the [Pulumi Cloud ``` 6. Replace ``, ``, ``, and `` with the values from the previous steps. - 7. Scroll to the bottom of the page and click **Save**. + 7. Click **Save**. ![Vault environment config](./vault-environment-config.png) diff --git a/content/docs/esc/integrations/_index.md b/content/docs/esc/integrations/_index.md index d8ac7a0065e2..f5ee86dfcd23 100644 --- a/content/docs/esc/integrations/_index.md +++ b/content/docs/esc/integrations/_index.md @@ -21,6 +21,7 @@ ESC also integrates with tools like Direnv, Terraform, and Docker to help manage - [AWS login provider](/docs/esc/integrations/dynamic-login-credentials/aws-login) - [Azure login provider](/docs/esc/integrations/dynamic-login-credentials/azure-login) +- [Doppler login provider](/docs/esc/integrations/dynamic-login-credentials/doppler-login) - [GCP login provider](/docs/esc/integrations/dynamic-login-credentials/gcp-login) - [Infisical login provider](/docs/esc/integrations/dynamic-login-credentials/infisical-login) - [Vault login provider](/docs/esc/integrations/dynamic-login-credentials/vault-login) @@ -29,6 +30,7 @@ ESC also integrates with tools like Direnv, Terraform, and Docker to help manage - [AWS Secrets Manager](/docs/esc/integrations/dynamic-secrets/aws-secrets) - [Azure KeyVault](/docs/esc/integrations/dynamic-secrets/azure-secrets) +- [Doppler Secrets](/docs/esc/integrations/dynamic-secrets/doppler-secrets) - [GCP Secrets Manager](/docs/esc/integrations/dynamic-secrets/gcp-secrets) - [Infisical Secrets](/docs/esc/integrations/dynamic-secrets/infisical-secrets) - [Vault Secrets Management](/docs/esc/integrations/dynamic-secrets/vault-secrets) diff --git a/content/docs/esc/integrations/dynamic-login-credentials/_index.md b/content/docs/esc/integrations/dynamic-login-credentials/_index.md index b0a87a16a1f1..56377e562f35 100644 --- a/content/docs/esc/integrations/dynamic-login-credentials/_index.md +++ b/content/docs/esc/integrations/dynamic-login-credentials/_index.md @@ -19,7 +19,9 @@ To learn how to set up and use each provider, follow the links below. To learn h |--------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------| | [aws-login](/docs/esc/integrations/dynamic-login-credentials/aws-login/) | The `aws-login` provider enables you to log in to your AWS account using OpenID Connect or static credentials. | | [azure-login](/docs/esc/integrations/dynamic-login-credentials/azure-login/) | The `azure-login` provider enables you to log in to Azure using OpenID Connect or static credentials. | +| [doppler-login](/docs/esc/integrations/dynamic-login-credentials/doppler-login/) | The `doppler-login` provider enables you to log in to Doppler using OpenID Connect. | | [gcp-login](/docs/esc/integrations/dynamic-login-credentials/gcp-login/) | The `gcp-login` provider enables you to log in to Google Cloud using OpenID Connect or static credentials. | | [gh-login](/docs/esc/integrations/dynamic-login-credentials/gh-login/) | The `gh-login` provider enables you to log in to GitHub using app credentials. | +| [infisical-login](/docs/esc/integrations/dynamic-login-credentials/infisical-login/) | The `infisical-login` provider enables you to log in to Infisical using OpenID Connect or by providing static credentials. | | [snowflake-login](/docs/esc/integrations/dynamic-login-credentials/snowflake-login/) | The `snowflake-login` provider enables authentication to Snowflake using OpenID Connect. | | [vault-login](/docs/esc/integrations/dynamic-login-credentials/vault-login/) | The `vault-login` provider enables you to log in to HashiCorp Vault using OpenID Connect or static credentials. | diff --git a/content/docs/esc/integrations/dynamic-login-credentials/doppler-login.md b/content/docs/esc/integrations/dynamic-login-credentials/doppler-login.md new file mode 100644 index 000000000000..e417f19909fc --- /dev/null +++ b/content/docs/esc/integrations/dynamic-login-credentials/doppler-login.md @@ -0,0 +1,55 @@ +--- +title_tag: doppler-login Pulumi ESC Provider +meta_desc: The doppler-login Pulumi ESC Provider enables you to log in to Doppler using OIDC. +title: doppler-login +h1: doppler-login +meta_image: /images/docs/meta-images/docs-meta.png +menu: + esc: + identifier: doppler-login + parent: esc-dynamic-login-credentials + weight: 3 +aliases: + - /docs/pulumi-cloud/esc/providers/doppler-login/ + - /docs/esc/providers/doppler-login/ +--- + +The `doppler-login` provider enables you to log in to Doppler using OpenID Connect. +The provider will return a set of credentials that can be used to run Doppler CLI commands using +the [esc run](/docs/esc/cli/commands/esc_run/) command and also pull in secrets from Doppler using the +`doppler-secrets` provider. + +## Example + +```yaml +values: + doppler: + login: + fn::open::doppler-login: + oidc: + identityId: 00000000-0000-0000-0000-000000000000 +``` + +## Configuring OIDC + +To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and Doppler, see +the [OpenID Connect integration](/docs/esc/environments/configuring-oidc/doppler/) documentation. + +## Inputs + +| Property | Type | Description | +|-----------|-----------------------------------------------|----------------------------------------------------------------------------------------------------------------------------| +| `oidc` | [DopplerLoginOIDC](#dopplerloginoidc) | OIDC configuration to log in to Doppler. | + +### DopplerLoginOIDC + +| Property | Type | Description | +|---------------------|----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `identityId` | string | The identityId of the Doppler service account identity to assume. | +| `subjectAttributes` | string[] | [Optional] - Subject attributes to be included in the OIDC token. For more information see the [OpenID subject customization](/docs/esc/environments/configuring-oidc/#custom-token-claim) documentation | + +## Outputs + +| Property | Type | Description | +|---------------|--------|---------------------------------------------------------------------------------------------------------------------------| +| `accessToken` | string | The short lived access token to use for authentication. | diff --git a/content/docs/esc/integrations/dynamic-login-credentials/gcp-login.md b/content/docs/esc/integrations/dynamic-login-credentials/gcp-login.md index 7b4300b12197..64ffe575baa0 100644 --- a/content/docs/esc/integrations/dynamic-login-credentials/gcp-login.md +++ b/content/docs/esc/integrations/dynamic-login-credentials/gcp-login.md @@ -8,7 +8,7 @@ menu: esc: identifier: gcp-login parent: esc-dynamic-login-credentials - weight: 3 + weight: 5 aliases: - /docs/pulumi-cloud/esc/providers/gcp-login/ - /docs/esc/providers/gcp-login/ diff --git a/content/docs/esc/integrations/dynamic-login-credentials/gh-login.md b/content/docs/esc/integrations/dynamic-login-credentials/gh-login.md index 62a659e62d63..561c225a4676 100644 --- a/content/docs/esc/integrations/dynamic-login-credentials/gh-login.md +++ b/content/docs/esc/integrations/dynamic-login-credentials/gh-login.md @@ -8,7 +8,7 @@ menu: esc: identifier: gh-login parent: esc-dynamic-login-credentials - weight: 4 + weight: 6 aliases: - /docs/pulumi-cloud/esc/providers/gh-login/ - /docs/esc/providers/gh-login/ diff --git a/content/docs/esc/integrations/dynamic-login-credentials/infisical-login.md b/content/docs/esc/integrations/dynamic-login-credentials/infisical-login.md index 38e6e1cc51d2..c2b3a874d822 100644 --- a/content/docs/esc/integrations/dynamic-login-credentials/infisical-login.md +++ b/content/docs/esc/integrations/dynamic-login-credentials/infisical-login.md @@ -8,7 +8,7 @@ menu: esc: identifier: infisical-login parent: esc-dynamic-login-credentials - weight: 2 + weight: 7 aliases: - /docs/pulumi-cloud/esc/providers/infisical-login/ - /docs/esc/providers/infisical-login/ diff --git a/content/docs/esc/integrations/dynamic-login-credentials/snowflake-login.md b/content/docs/esc/integrations/dynamic-login-credentials/snowflake-login.md index 52db04735633..41d572371618 100644 --- a/content/docs/esc/integrations/dynamic-login-credentials/snowflake-login.md +++ b/content/docs/esc/integrations/dynamic-login-credentials/snowflake-login.md @@ -7,6 +7,7 @@ menu: esc: identifier: snowflake-login parent: esc-dynamic-login-credentials + weight: 8 --- The `snowflake-login` provider enables authentication to Snowflake using OpenID Connect (OIDC) for Pulumi ESC. This allows you to securely access Snowflake without storing long-lived credentials in your environment configurations. diff --git a/content/docs/esc/integrations/dynamic-login-credentials/vault-login.md b/content/docs/esc/integrations/dynamic-login-credentials/vault-login.md index 8e9340ce1b2f..a4ead1363dd8 100644 --- a/content/docs/esc/integrations/dynamic-login-credentials/vault-login.md +++ b/content/docs/esc/integrations/dynamic-login-credentials/vault-login.md @@ -8,7 +8,7 @@ menu: esc: identifier: vault-login parent: esc-dynamic-login-credentials - weight: 5 + weight: 9 aliases: - /docs/pulumi-cloud/esc/providers/vault-login/ - /docs/esc/providers/vault-login/ diff --git a/content/docs/esc/integrations/dynamic-secrets/1password-secrets.md b/content/docs/esc/integrations/dynamic-secrets/1password-secrets.md index 874691a0326e..36df36ebebae 100644 --- a/content/docs/esc/integrations/dynamic-secrets/1password-secrets.md +++ b/content/docs/esc/integrations/dynamic-secrets/1password-secrets.md @@ -8,7 +8,7 @@ menu: esc: identifier: 1password-secrets parent: esc-dynamic-secrets - weight: 6 + weight: 1 aliases: - /docs/pulumi-cloud/esc/providers/1password-secrets/ - /docs/esc/providers/1password-secrets/ diff --git a/content/docs/esc/integrations/dynamic-secrets/_index.md b/content/docs/esc/integrations/dynamic-secrets/_index.md index 305b1a4c0aad..2d4558939b34 100644 --- a/content/docs/esc/integrations/dynamic-secrets/_index.md +++ b/content/docs/esc/integrations/dynamic-secrets/_index.md @@ -21,5 +21,7 @@ To learn how to set up and use each provider, follow the links below. To learn h | [aws-parameter-store](/docs/pulumi-cloud/esc/providers/aws-parameter-store/) | The `aws-parameter-store` provider enables you to dynamically import parameters from AWS Parameter Store into your Environment. | | [aws-secrets](/docs/esc/integrations/dynamic-secrets/aws-secrets/) | The `aws-secrets` provider enables you to dynamically import Secrets from AWS Secrets Manager into your Environment. | | [azure-secrets](/docs/esc/integrations/dynamic-secrets/azure-secrets/) | The `azure-secrets` provider enables you to dynamically import Secrets from Azure Key Vault into your Environment. | +| [doppler-secrets](/docs/esc/integrations/dynamic-secrets/doppler-secrets/) | The `doppler-secrets` provider enables you to dynamically import Secrets from Doppler into your Environment. | [gcp-secrets](/docs/esc/integrations/dynamic-secrets/gcp-secrets/) | The `gcp-secrets` provider enables you to dynamically import Secrets from Google Cloud Secrets Manager into your Environment. | +| [infisical-secrets](/docs/esc/integrations/dynamic-secrets/infisical-secrets/) | The `infisical-secrets` provider enables you to dynamically import Secrets from Infisical Secrets into your Environment. | [vault-secrets](/docs/esc/integrations/dynamic-secrets/vault-secrets/) | The `vault-secrets` provider enables you to dynamically import Secrets from HashiCorp Vault into your Environment. | diff --git a/content/docs/esc/integrations/dynamic-secrets/aws-parameter-store.md b/content/docs/esc/integrations/dynamic-secrets/aws-parameter-store.md index c250b1afd26c..9fd0ae2a02ed 100644 --- a/content/docs/esc/integrations/dynamic-secrets/aws-parameter-store.md +++ b/content/docs/esc/integrations/dynamic-secrets/aws-parameter-store.md @@ -7,7 +7,7 @@ menu: esc: identifier: aws-parameter-store parent: esc-dynamic-secrets - weight: 1 + weight: 2 aliases: - /docs/pulumi-cloud/esc/providers/aws-parameter-store/ - /docs/esc/providers/aws-parameter-store/ diff --git a/content/docs/esc/integrations/dynamic-secrets/aws-secrets.md b/content/docs/esc/integrations/dynamic-secrets/aws-secrets.md index ade8a35c7768..c21fc730ee87 100644 --- a/content/docs/esc/integrations/dynamic-secrets/aws-secrets.md +++ b/content/docs/esc/integrations/dynamic-secrets/aws-secrets.md @@ -7,7 +7,7 @@ menu: esc: identifier: aws-secrets parent: esc-dynamic-secrets - weight: 2 + weight: 3 aliases: - /docs/pulumi-cloud/esc/providers/aws-secrets/ - /docs/esc/providers/aws-secrets/ diff --git a/content/docs/esc/integrations/dynamic-secrets/azure-secrets.md b/content/docs/esc/integrations/dynamic-secrets/azure-secrets.md index a8636ce2a29a..fba60b6723c2 100644 --- a/content/docs/esc/integrations/dynamic-secrets/azure-secrets.md +++ b/content/docs/esc/integrations/dynamic-secrets/azure-secrets.md @@ -7,7 +7,7 @@ menu: esc: identifier: azure-secrets parent: esc-dynamic-secrets - weight: 3 + weight: 4 aliases: - /docs/pulumi-cloud/esc/providers/azure-secrets/ - /docs/esc/providers/azure-secrets/ diff --git a/content/docs/esc/integrations/dynamic-secrets/doppler-secrets.md b/content/docs/esc/integrations/dynamic-secrets/doppler-secrets.md new file mode 100644 index 000000000000..35a9a7dc277a --- /dev/null +++ b/content/docs/esc/integrations/dynamic-secrets/doppler-secrets.md @@ -0,0 +1,91 @@ +--- +title: doppler-secrets +title_tag: doppler-secrets Pulumi ESC provider +meta_desc: The doppler-secrets Pulumi ESC Provider enables you to dynamically import secrets from Doppler into your environment. +h1: doppler-secrets +menu: + esc: + identifier: doppler-secrets + parent: esc-dynamic-secrets + weight: 5 +aliases: + - /docs/pulumi-cloud/esc/providers/doppler-secrets/ + - /docs/esc/providers/doppler-secrets/ +--- + +The `doppler-secrets` provider enables you to dynamically import Secrets from Doppler into +your Environment. The provider will return a map of names to Secrets. + +## Example + +```yaml +values: + doppler: + login: + fn::open::doppler-login: + oidc: + identityId: 00000000-0000-0000-0000-000000000000 + secrets: + fn::open::doppler-secrets: + login: ${doppler.login} + project: example-project + config: dev + get: + api-key: + name: API_KEY + app-secret: + name: APP_SECRET +``` + +## Configuring OIDC + +To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and Doppler, see +the [OpenID Connect integration](/docs/pulumi-cloud/oidc/provider/doppler/) documentation. Once you have completed +these steps, you can validate that your configuration is working by running either of the following: + +* `esc open //` command of the [Pulumi ESC CLI](/docs/esc-cli/) +* `pulumi env open //` command of the [Pulumi CLI](/docs/install/) + +Make sure to replace ``, ``, and `` with the values of your Pulumi organization and +environment identifier respectively. You should see output similar to the following: + +```json +{ + "doppler": { + "login": { + "accessToken": "dp.said.XXX..." + }, + "secrets": { + "api-key": "my-api-key", + "app-secret": "my-app-secret" + } + } +} +``` + +## Inputs + +| Property | Type | Description | +|----------|--------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------| +| `login` | [DopplerSecretsLogin](#dopplersecretslogin) | Credentials to use to log in to Doppler. | +| `project` | string | The project identifier in Doppler | +| `config` | string | The config identifier in Doppler | +| `get` | map[string][DopplerSecretsGet](#dopplersecretsget) | A map from names to secrets to read from Doppler Secrets. The outputs will map each name to the secret's sensitive data. | + +### DopplerSecretsLogin + +| Property | Type | Description | +|---------------|--------|---------------------------------------------------------------------------------------------------------------------------| +| `accessToken` | string | The access token to use for authentication. | + +### DopplerSecretsGet + +| Property | Type | Description | +|---------------|--------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `name` | string | The secret name in Doppler | + +### Outputs + +| Property | Type | Description | +|----------|--------|-------------------------------------| +| N/A | object | A map of names to imported Secrets. | diff --git a/content/docs/esc/integrations/dynamic-secrets/gcp-secrets.md b/content/docs/esc/integrations/dynamic-secrets/gcp-secrets.md index 8c84eec8faa8..ebfeb44bf2ef 100644 --- a/content/docs/esc/integrations/dynamic-secrets/gcp-secrets.md +++ b/content/docs/esc/integrations/dynamic-secrets/gcp-secrets.md @@ -8,7 +8,7 @@ menu: esc: identifier: gcp-secrets parent: esc-dynamic-secrets - weight: 4 + weight: 6 aliases: - /docs/pulumi-cloud/esc/providers/gcp-secrets/ - /docs/esc/providers/gcp-secrets/ diff --git a/content/docs/esc/integrations/dynamic-secrets/infisical-secrets.md b/content/docs/esc/integrations/dynamic-secrets/infisical-secrets.md index 9204aaffb0d7..ee4d39ef0903 100644 --- a/content/docs/esc/integrations/dynamic-secrets/infisical-secrets.md +++ b/content/docs/esc/integrations/dynamic-secrets/infisical-secrets.md @@ -7,7 +7,7 @@ menu: esc: identifier: infisical-secrets parent: esc-dynamic-secrets - weight: 3 + weight: 7 aliases: - /docs/pulumi-cloud/esc/providers/infisical-secrets/ - /docs/esc/providers/infisical-secrets/ diff --git a/content/docs/esc/integrations/dynamic-secrets/vault-secrets.md b/content/docs/esc/integrations/dynamic-secrets/vault-secrets.md index f0bc21fb05b1..e88a4e61e334 100644 --- a/content/docs/esc/integrations/dynamic-secrets/vault-secrets.md +++ b/content/docs/esc/integrations/dynamic-secrets/vault-secrets.md @@ -7,7 +7,7 @@ menu: esc: identifier: vault-secrets parent: esc-dynamic-secrets - weight: 5 + weight: 8 aliases: - /docs/pulumi-cloud/esc/providers/vault-secrets/ - /docs/esc/providers/vault-secrets/