dirien/pulumi-esc
.claude/skills/pulumi-esc/SKILL.md
Guidance for working with Pulumi ESC (Environments, Secrets, and Configuration). Use when users ask about managing secrets, configuration, environments, short-term credentials, configuring OIDC for AWS, Azure, GCP, integrating with secret stores (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, 1Password), or using ESC with Pulumi stacks.
$ install --global
skillsauthnpx skillsauth add dirien/yet-another-agent-harness pulumi-escInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 17, 2026, 3:30 AM134.7s2 files scanned
SKILL.md
- name:
- pulumi-esc
- description:
- Guidance for working with Pulumi ESC (Environments, Secrets, and Configuration). Use when users ask about managing secrets, configuration, environments, short-term credentials, configuring OIDC for AWS, Azure, GCP, integrating with secret stores (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, 1Password), or using ESC with Pulumi stacks.
Pulumi ESC (Environments, Secrets, and Configuration)
Pulumi ESC is a centralized service for managing environments, secrets, and configuration across cloud infrastructure and applications.
What is ESC?
ESC enables teams to:
- Centralize secrets and configuration in one secure location
- Compose environments by importing and layering configuration
- Generate dynamic credentials via OIDC for AWS, Azure, GCP
- Integrate external secret stores (AWS Secrets Manager, Azure Key Vault, Vault, 1Password)
- Version and audit all configuration changes
- Control access with fine-grained RBAC
Essential CLI Commands
# Create a new environment
pulumi env init <org>/<project-name>/<environment-name>
# Edit environment (opens in editor)
pulumi env edit <org>/<project-name>/<environment-name>
# Set values
pulumi env set <org>/<project-name>/<environment-name> <key> <value>
pulumi env set <org>/<project-name>/<environment-name> <key> <value> --secret
# View definition (secrets hidden)
pulumi env get <org>/<project-name>/<environment-name>
# Open and resolve (reveals secrets)
pulumi env open <org>/<project-name>/<environment-name>
# Run command with environment
pulumi env run <org>/<project-name>/<environment-name> -- <command>
# Link to Pulumi stack
pulumi config env add <project-name>/<environment-name>
Key Concepts
Command Distinctions
pulumi env get: Shows static definition, secrets appear as[secret]pulumi env open: Resolves and reveals all values including secrets and dynamic credentialspulumi env run: Executes commands with environment variables loadedpulumi config env add: Only takes the <project-name>/<environment-name> portion
Environment Structure
Environments are YAML documents with reserved top-level keys:
imports: Import and compose other environmentsvalues: Define configuration and secrets
Reserved sub-keys under values:
environmentVariables: Map values to shell environment variablespulumiConfig: Configure Pulumi stack settingsfiles: Generate files with environment data
Basic Example
imports:
- common/base-config
values:
environment: production
region: us-west-2
dbPassword:
fn::secret: super-secure-password
environmentVariables:
AWS_REGION: ${region}
DB_PASSWORD: ${dbPassword}
pulumiConfig:
aws:region: ${region}
app:dbPassword: ${dbPassword}
Working with the User
For Simple Questions
If the user asks basic questions like "How do I create an environment?" or "What's the difference between get and open?", answer directly using the information above.
For Detailed Documentation
When users need more information, use the web-fetch tool to get content from the official Pulumi ESC documentation:
- Complete YAML syntax and functions → https://www.pulumi.com/docs/esc/environments/syntax/
- Provider integrations (AWS, Azure, GCP, Vault, 1Password):
- AWS: https://www.pulumi.com/docs/esc/integrations/dynamic-login-credentials/aws-login/
- Azure: https://www.pulumi.com/docs/esc/integrations/dynamic-login-credentials/azure-login/
- GCP: https://www.pulumi.com/docs/esc/integrations/dynamic-login-credentials/gcp-login/
- Short-term credential (OIDC) providers: https://www.pulumi.com/docs/esc/integrations/dynamic-login-credentials/
- Dynamic secret providers: https://www.pulumi.com/docs/esc/integrations/dynamic-secrets/
- Getting started guide → https://www.pulumi.com/docs/esc/get-started/
- CLI reference → https://www.pulumi.com/docs/esc/cli/commands/
- Prefer using the
pulumi envsubcommands overescCLI.
- Prefer using the
Use the web-fetch tool with specific prompts to extract relevant information from these docs.
For Complex Tasks
When helping users:
- Understand the goal: Are they setting up new environments, migrating from stack config, or debugging?
- Check existing setup: Use
pulumi envcommands to list environments or read definitions - Fetch relevant documentation: Use the web-fetch to get specific examples or syntax from the official docs
- Provide step-by-step guidance: Walk through the process with specific commands
- Validate: Help them test with
pulumi env getorpulumi previewa. Only usepulumi env openwhen the full resolved values are needed, but use cautiously as it reveals secrets.
Example: Helping with AWS OIDC Setup
User: "How do I set up AWS OIDC credentials in ESC?"
1. Use the web-fetch tool to get AWS OIDC documentation from "https://www.pulumi.com/docs/esc/integrations/dynamic-login-credentials/aws-login/"
2. Provide the user with the configuration
3. Ask the user if they have a pre-defined role or need one created for them
4. Set up as much of the environment as possible, then guide them through any steps that you can't do for them
5. Help them test with `pulumi env get` or `pulumi env open` if necessary
Common Workflows
Creating an Environment
pulumi env init my-org/my-project/dev-config
# Edit environment (accepts new definition from a file, better for agents, more difficult for users)
pulumi env edit --file /tmp/example.yml my-org/my-project/dev-config
Linking to Stack
pulumi config env add my-project/dev-config
pulumi config # Verify environment values are accessible
API Access (Rare)
Always prefer CLI commands. Only use the API when absolutely necessary (e.g., bulk operations, automation).
Available API endpoints include:
GET /api/esc/environments/{orgName}- List environmentsGET /api/esc/environments/{orgName}/{projectName}/{envName}- Read environment definitionGET /api/esc/providers?orgName={orgName}- List available providers
Use call_pulumi_cloud_api() tool to make requests when needed.
Best Practices
- Always use
fn::secretfor sensitive values - Prefer OIDC over static keys
- Use descriptive names like
<org>/my-app/production-awsnot<org>/app/prod - Layer environments: base → cloud-provider → stack-specific
- Verify that
pulumi configshows expected values after linking an environment to a stack - Prefer using
pulumi env runfor commands needing environment variables - Only use
pulumi env openwhen absolutely necessary, as it reveals secrets
Quick Troubleshooting
- "Environment not found": Check permissions with
pulumi env ls -o <org> - "Secret decryption failed": Use
pulumi env opennotpulumi env get - "Stack can't read values": Verify
pulumi config env lsto ensure the stack is listed.- Ensure the environment is referenced only by the project-name/environment-name format.
- Get the specific environment definition with
pulumi env get <org>/<project-name>/<environment-name>. - Verify the
pulumiConfigkey exists and is nested under thevalueskey.
Related Skills
dirien/typescript-pro
tools
VerifiedTrustedCommunity
Implements advanced TypeScript type systems, creates custom type guards, utility types, and branded types, and configures tRPC for end-to-end type safety. Use when building TypeScript applications requiring advanced generics, conditional or mapped types, discriminated unions, monorepo setup, or full-stack type safety with tRPC.
13SKILL.mdUpdated Apr 17, 2026
dirien/the-fool
development
VerifiedTrustedCommunity
Use when challenging ideas, plans, decisions, or proposals using structured critical reasoning. Invoke to play devil's advocate, run a pre-mortem, red team, or audit evidence and assumptions.
13SKILL.mdUpdated Apr 17, 2026
dirien/tech-debt
development
VerifiedTrustedCommunity
Systematic technical debt analysis across architecture, testing, documentation, and infrastructure. Investigates the codebase, scores findings by impact and effort, and generates a prioritized TECH_DEBT.md remediation plan. Delegates to specialized skills for code quality (scout) and linting (lint-fix). Use when assessing overall project health, planning cleanup sprints, or onboarding to an unfamiliar codebase.
13SKILL.mdUpdated Apr 17, 2026
dirien/tailscale-install
testing
VerifiedTrustedCommunity
Install and configure Tailscale across platforms. Detects OS, distro, and environment (including WSL2 and containers). Verifies existing installations, performs platform-appropriate install, and guides initial connection. Use when setting up Tailscale on a new machine, onboarding a server to a tailnet, or verifying an existing install.
13SKILL.mdUpdated Apr 17, 2026