DocumentationGuideProvider Credentials

Pulumi providers require proper credentials to deploy infrastructure on cloud platforms such as AWS, GCP, Azure, and Kubernetes. In ProjectPlanton, default providers are set up without any abstraction, and Pulumi handles the process of looking up credentials from the environment. However, ProjectPlanton provides an additional method for configuring credentials using Credential APIs to simplify the setup process.

ℹ️

By default, project-planton relies on Pulumi’s supported methods for credential lookup, which allows users to use credentials from the environment without any abstraction.

ℹ️

The additional custom Credential APIs provide more flexibility for users who prefer to configure credentials in a more centralized or team-friendly manner.

This guide explains the steps required to set up credentials for Pulumi providers, focusing on AWS, GCP, Azure, and Kubernetes, using either environment-based credentials or the ProjectPlanton Credential API.

Default Credential Lookup

By default, ProjectPlanton does not introduce any abstractions over Pulumi’s standard credential management methods, allowing users to set up credentials as they would with any Pulumi project.

Pulumi providers can use credentials directly from the environment variables or configuration files that are available on your machine. The following are the default methods for each provider:

  • AWS: Pulumi looks up credentials from environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION) or from the AWS credentials file.
  • GCP: Credentials are looked up from the environment variable GOOGLE_CREDENTIALS or from the active gcloud configuration.
  • Azure: Credentials are looked up from environment variables (AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID, AZURE_SUBSCRIPTION_ID).
  • Kubernetes: Credentials can be obtained from the default kubeconfig file or from environment variables related to your cluster.

Credential APIs

To provide an additional method of setting up credentials, ProjectPlanton offers Credential APIs that allow users to specify credentials in a YAML file. This file can then be passed to the project-planton pulumi up command using specific flags. This is particularly useful when managing credentials for multiple providers or sharing configurations across a team.

AWS Provider

Default

By default, AWS credentials can be provided using environment variables or from the AWS credentials file. Pulumi will look for the following:

  • Environment Variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION
  • Credentials File: Typically located at ~/.aws/credentials.

Credential API

To use the custom credential method provided by ProjectPlanton, you can define the AWS credentials in a YAML file and pass it using the --aws-credential flag:

Example AWS Credential Spec:

account_id: "987654321098"
access_key_id: "AKIAIOSFODNN7EXAMPLE"
secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
region: "us-east-1"

Once the aws credential yaml is created, pass it to the command

project-planton pulumi up --manifest deployment-component-manifest.yaml --aws-credential aws-credential.yaml

GCP Provider

Default

Pulumi looks up GCP credentials from the following sources:

  • Environment Variable: GOOGLE_CREDENTIALS containing the service account JSON key.
  • Active gcloud Configuration: Credentials can be pulled from the gcloud CLI configuration.

Credential API

To use ProjectPlanton’s Credential API for GCP, define credentials in a YAML file and pass it using the --gcp-credential flag:

Example GCP Credential Spec:

gcp_organization_id: "1234567890"
service_account_key_base64: "your-base64-encoded-service-account-key"

Once the gcp credential yaml is created, pass it to the command

project-planton pulumi up --manifest deployment-component-manifest.yaml --gcp-credential gcp-credential.yaml

Azure Provider

Default

Azure credentials are looked up from environment variables:

  • AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID, AZURE_SUBSCRIPTION_ID

Credential API

For Azure, use the following YAML format and pass it using the --azure-credential flag:

Example Azure Credential Spec:

client_id: "e8a95d4b-09c5-412b-97f8-123456789abc"
client_secret: "EXAMPLE_SECRET"
tenant_id: "12345678-9abc-def0-1234-56789abcdef0"
subscription_id: "87654321-4321-1234-5678-123456789abc"

Once the azure credential yaml is created, pass it to the command

project-planton pulumi up --manifest deployment-component-manifest.yaml --azure-credential azure-credential.yaml

Kubernetes Provider

Default

Kubernetes credentials can be obtained from:

  • kubeconfig File: Typically located at ~/.kube/config
  • Environment Variables: Related to your Kubernetes cluster credentials.

Credential API

ProjectPlanton also allows you to define Kubernetes credentials in a YAML file, passed using the --kubernetes-credential flag:

Example Kubernetes Cluster Credential Spec:

kubernetes_provider: "GKE"
gke_cluster:
  cluster_endpoint: "https://example-cluster-endpoint"
  cluster_ca_data: "EXAMPLE_CA_DATA"
  service_account_key_base64: "eyJraWQiOiAiQUJDREVGIiwgImFsZyI6ICJzZXN0ZXEifQ.EXAMPLE"

Once the kubernetes cluster credential yaml is created, pass it to the command

project-planton pulumi up --manifest deployment-component-manifest.yaml --kubernetes-cluster kubernetes-cluster.yaml