Pulumi ESC
Secrets management tools
Data security software
- Features
- Ease of use
- Ease of management
- Quality of support
- Affordability
- Market presence
Take the quiz to check if Pulumi ESC and its alternatives fit your requirements.
$40 per month
Free TrialFree version
Small
Medium
Large
- Accommodation and food services
- Retail and wholesale
- Education and training
What is Pulumi ESC
Pulumi ESC (Environments, Secrets, and Configuration) is a secrets and configuration management service designed to supply runtime environment variables and sensitive values to applications and infrastructure workflows. It targets platform teams and developers who need to manage configuration across environments and deliver secrets to CI/CD systems and cloud runtimes. ESC integrates with Pulumi Infrastructure as Code and can also be used independently via CLI/API to inject configuration into deployments. It emphasizes environment-centric organization of configuration and policy-controlled access to secret values.
Environment-centric configuration model
ESC organizes values into named environments, which helps teams manage per-stage configuration (dev/test/prod) without duplicating files across repositories. This model fits common deployment patterns where the same application needs different endpoints, credentials, and feature flags by environment. It can reduce configuration drift by centralizing updates and making environment composition explicit.
Pulumi IaC workflow integration
ESC integrates directly with Pulumi’s IaC workflows, enabling stacks to reference centrally managed configuration and secrets. This can simplify secret distribution for infrastructure provisioning and application deployment pipelines that already use Pulumi tooling. For teams standardizing on Pulumi, it reduces the need to stitch together separate secret stores and custom glue code.
CLI and automation friendly
ESC is designed for use in automated workflows, with CLI-driven access suitable for CI/CD and developer tooling. It supports delivering values as environment variables at runtime, which aligns with common container and pipeline patterns. This approach can lower the operational overhead compared with managing secrets manually in multiple systems.
Less mature enterprise controls
Compared with long-established enterprise secret platforms, ESC may offer fewer advanced features such as extensive HSM options, complex secret rotation orchestration, or highly granular, legacy enterprise integrations. Organizations with strict compliance requirements may need to validate audit logging, key management, and policy capabilities against internal standards. Some enterprises may still require a dedicated KMS/HSM-backed solution for certain workloads.
Pulumi ecosystem dependency risk
While ESC can be used outside of Pulumi IaC, its strongest fit is with Pulumi-centric workflows. Teams using other IaC tools or secret delivery patterns may find the integration benefits less compelling and may need additional tooling to match existing processes. This can increase switching costs if an organization later standardizes on a different platform.
Not a general password vault
ESC focuses on application and infrastructure configuration/secrets delivery rather than end-user password management. It is not designed to replace password managers for human credentials, shared vaults, or end-user device workflows. Organizations typically still need separate tooling for workforce password management and privileged access use cases.
Plan & Pricing
| Plan | Price | Key features & notes |
|---|---|---|
| Individual | Free | Free forever for individuals; includes IaC state management, unlimited projects/stacks/environments, unlimited updates/history, 500 free deployment minutes. ESC: 25 free secrets (on-demand secret price = 25 free), 10K free API calls/month, plaintext configs free. |
| Team | $40/mo | Up to 10 users; 500 resources included (additional resources $0.1825/mo each); includes secure collaboration, CI/CD, OIDC, automatic secrets rotation. ESC: $0.000685/hour per secret (~$0.50 per secret/month), API calls $0.10 per 10K after 10K free. |
| Enterprise | $400/mo | Unlimited users; 2,000 resources included (additional resources start at $0.365/mo); SAML/SSO, RBAC, audit logs, drift detection, priority feature requests. ESC: $0.001/hour per secret (~$0.75 per secret/month), API calls $0.10 per 10K. |
| Business Critical | Custom | Advanced governance and controls; self-hosting available; volume pricing and invoicing; ESC pricing: custom (contact sales) for secrets and enterprise features; API calls $0.10 per 10K. |
Additional ESC-specific notes:
- Price per plaintext config: Free across all editions.
- Max # of secrets: Individual 25; Team/Enterprise/Business Critical: Unlimited.
- Max # of API calls: Individual 10K/month free; Team/Enterprise/Business Critical: Unlimited.
- ESC secrets are billed hourly (rates shown above) and converted to the listed approximate per-secret/month amounts on the official pricing page.
Seller details
Pulumi Corporation
Seattle, WA, USA
2017
Private
https://www.pulumi.com/
https://x.com/pulumicorp
https://www.linkedin.com/company/pulumi/
