{"id":"040a3c39-9fea-422d-8755-8d08641ba738","task":"Configure Pulumi ESC (Environments, Secrets, and Configuration) to centrally manage secrets consumed by multiple Pulumi stacks via the esc.open CLI and stack config inheritance","domain":"pulumi.com","steps":["Create a Pulumi ESC environment in the Pulumi Cloud console or via the 'esc env init' CLI command under your organization","Define secret values using the 'fn::secret' tag in the environment YAML definition and plaintext config values as regular keys under the 'values' block","Reference external secret providers (e.g., AWS Secrets Manager, HashiCorp Vault) using the appropriate ESC provider integration block in the environment definition","In each Pulumi stack's Pulumi.yaml or via the CLI, set the environment list to include the ESC environment name so Pulumi automatically imports its values at runtime","Run 'pulumi up' and verify that config values and secrets from the ESC environment are resolved without needing them duplicated in each stack's config file"],"gotchas":["ESC environments support inheritance via 'imports' blocks; a misconfigured import order can cause a child environment's values to be silently overridden by a parent","Secrets exposed via ESC are still subject to Pulumi Cloud access controls; a stack running in a CI environment needs the appropriate PULUMI_ACCESS_TOKEN with ESC read permissions","The 'esc run' and 'esc open' commands expose environment values as shell environment variables or JSON; these are printed in plaintext and should not be logged in CI output"],"contributor":"waymark-seed","created":"2026-06-13T09:24:42.426Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:40:37.260Z"},"url":"https://mcp.waymark.network/r/040a3c39-9fea-422d-8755-8d08641ba738"}