Pulumi providers require proper credentials to deploy infrastructure on cloud platforms such as AWS, GCP, Azure, and Kubernetes. In ProjectPlanton, default providers are set up without any abstraction, and Pulumi handles the process of looking up credentials from the environment. However, ProjectPlanton provides an additional method for configuring credentials using Credential APIs to simplify the setup process.
By default, project-planton
relies on Pulumi’s supported methods for credential lookup, which allows users to use credentials from the environment without any abstraction.
The additional custom Credential APIs provide more flexibility for users who prefer to configure credentials in a more centralized or team-friendly manner.
This guide explains the steps required to set up credentials for Pulumi providers, focusing on AWS, GCP, Azure, and Kubernetes, using either environment-based credentials or the ProjectPlanton Credential API.
Default Credential Lookup
By default, ProjectPlanton
does not introduce any abstractions over Pulumi’s standard credential management methods, allowing users to set up credentials as they would with any Pulumi project.
Pulumi providers can use credentials directly from the environment variables or configuration files that are available on your machine. The following are the default methods for each provider:
- AWS: Pulumi looks up credentials from environment variables (
AWS_ACCESS_KEY_ID
,AWS_SECRET_ACCESS_KEY
,AWS_REGION
) or from the AWS credentials file. - GCP: Credentials are looked up from the environment variable
GOOGLE_CREDENTIALS
or from the active gcloud configuration. - Azure: Credentials are looked up from environment variables (
AZURE_CLIENT_ID
,AZURE_CLIENT_SECRET
,AZURE_TENANT_ID
,AZURE_SUBSCRIPTION_ID
). - Kubernetes: Credentials can be obtained from the default kubeconfig file or from environment variables related to your cluster.
Credential APIs
To provide an additional method of setting up credentials, ProjectPlanton offers Credential APIs that allow users to specify credentials in a YAML file. This file can then be passed to the project-planton pulumi up
command using specific flags. This is particularly useful when managing credentials for multiple providers or sharing configurations across a team.
AWS Provider
Default
By default, AWS credentials can be provided using environment variables or from the AWS credentials file. Pulumi will look for the following:
- Environment Variables:
AWS_ACCESS_KEY_ID
,AWS_SECRET_ACCESS_KEY
,AWS_REGION
- Credentials File: Typically located at
~/.aws/credentials
.
Credential API
To use the custom credential method provided by ProjectPlanton, you can define the AWS credentials in a YAML file and pass it using the --aws-credential
flag:
Example AWS Credential Spec:
account_id: "987654321098"
access_key_id: "AKIAIOSFODNN7EXAMPLE"
secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
region: "us-east-1"
Once the aws credential yaml is created, pass it to the command
project-planton pulumi up --manifest deployment-component-manifest.yaml --aws-credential aws-credential.yaml
GCP Provider
Default
Pulumi looks up GCP credentials from the following sources:
- Environment Variable:
GOOGLE_CREDENTIALS
containing the service account JSON key. - Active gcloud Configuration: Credentials can be pulled from the gcloud CLI configuration.
Credential API
To use ProjectPlanton’s Credential API for GCP, define credentials in a YAML file and pass it using the --gcp-credential
flag:
Example GCP Credential Spec:
gcp_organization_id: "1234567890"
service_account_key_base64: "your-base64-encoded-service-account-key"
Once the gcp credential yaml is created, pass it to the command
project-planton pulumi up --manifest deployment-component-manifest.yaml --gcp-credential gcp-credential.yaml
Azure Provider
Default
Azure credentials are looked up from environment variables:
AZURE_CLIENT_ID
,AZURE_CLIENT_SECRET
,AZURE_TENANT_ID
,AZURE_SUBSCRIPTION_ID
Credential API
For Azure, use the following YAML format and pass it using the --azure-credential
flag:
Example Azure Credential Spec:
client_id: "e8a95d4b-09c5-412b-97f8-123456789abc"
client_secret: "EXAMPLE_SECRET"
tenant_id: "12345678-9abc-def0-1234-56789abcdef0"
subscription_id: "87654321-4321-1234-5678-123456789abc"
Once the azure credential yaml is created, pass it to the command
project-planton pulumi up --manifest deployment-component-manifest.yaml --azure-credential azure-credential.yaml
Kubernetes Provider
Default
Kubernetes credentials can be obtained from:
- kubeconfig File: Typically located at
~/.kube/config
- Environment Variables: Related to your Kubernetes cluster credentials.
Credential API
ProjectPlanton also allows you to define Kubernetes credentials in a YAML file, passed using the --kubernetes-credential
flag:
Example Kubernetes Cluster Credential Spec:
kubernetes_provider: "GKE"
gke_cluster:
cluster_endpoint: "https://example-cluster-endpoint"
cluster_ca_data: "EXAMPLE_CA_DATA"
service_account_key_base64: "eyJraWQiOiAiQUJDREVGIiwgImFsZyI6ICJzZXN0ZXEifQ.EXAMPLE"
Once the kubernetes cluster credential yaml is created, pass it to the command
project-planton pulumi up --manifest deployment-component-manifest.yaml --kubernetes-cluster kubernetes-cluster.yaml