Providers
Reference catalog of every first-party plugin shipped with Pulumi ESC. For an introduction to the plugin model — how providers and rotators differ, when each runs, and how they fit into the evaluation flow — see Providers and rotators.
Login providers
Issue short-lived credentials for downstream services. Prefer OpenID Connect over static keys where supported; see OIDC setup for per-provider trust configuration.
| Provider | Description |
|---|---|
| aws-login | Log in to AWS using OIDC or static credentials. |
| azure-login | Log in to Azure using OIDC or static credentials. |
| doppler-login | Log in to Doppler using OIDC. |
| gcp-login | Log in to Google Cloud using OIDC or static credentials. |
| gh-login | Log in to GitHub using app credentials. |
| infisical-login | Log in to Infisical using OIDC or static credentials. |
| snowflake-login | Authenticate to Snowflake using OIDC. |
| vault-login | Log in to HashiCorp Vault using OIDC or static credentials. |
Secrets and configuration providers
Dynamically import values from an external system of record into your environment. Invoked through fn::open::<name>.
| Provider | Description |
|---|---|
| 1password-secrets | Import secrets from 1Password. |
| aws-parameter-store | Import parameters from AWS Systems Manager Parameter Store. |
| aws-secrets | Import secrets from AWS Secrets Manager. |
| azure-secrets | Import secrets from Azure Key Vault. |
| doppler-secrets | Import secrets from Doppler. |
| gcp-secrets | Import secrets from Google Cloud Secret Manager. |
| infisical-secrets | Import secrets from Infisical. |
| vault-secrets | Import secrets from HashiCorp Vault. |
| pulumi-stacks | Import outputs from a Pulumi stack (includes Terraform state stored in Pulumi Cloud). |
| terraform-state | Import outputs from a Terraform state file in S3 or Terraform Cloud. |
| external | Import secrets from a custom service adapter. |
Rotators
Replace a stored credential with a freshly issued one, manually or on a schedule. Invoked through fn::rotate::<name>. Some rotators need a rotation connector to reach targets in private networks.
| Rotator | Required connector | Description |
|---|---|---|
| aws-iam | None | Rotate access credentials for an AWS IAM user. |
| azure-app-secret | None | Rotate client secrets for an Azure app registration. |
| mysql | aws-lambda (private networks only) | Rotate user credentials for a MySQL database. |
| password | None | Rotate any user-defined key using password generation rules. |
| passphrase | None | Rotate any user-defined key using memorable passphrase generation rules. |
| postgres | aws-lambda (private networks only) | Rotate user credentials for a PostgreSQL database. |
| snowflake-user | None | Rotate RSA keypairs for a Snowflake user. |
| external | None | Rotate credentials using a custom service adapter. |
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.