By 
Pulumi, an infrastructure management platform for everything running in the cloud, has announced four major product enhancements aimed at improving security, streamlining automation, and providing greater control over cloud resources. These updates reinforce Pulumi’s commitment to helping organizations manage cloud infrastructure more effectively and securely.
Rotated Secrets in Pulumi ESC: Automating Credential Security
📹 Going on record for 2026? We're recording the TFiR Prediction Series through mid-February. If you have a bold take on where AI Infrastructure, Cloud Native, or Enterprise IT is heading—we want to hear it. [Reserve your slot
Pulumi ESC now features automated secrets rotation, reducing risks associated with static, long-lived credentials. Secrets can be rotated on-demand or on a schedule, with a two-secret strategy ensuring availability during transitions. The system includes full auditing and tracking capabilities, offering visibility into credential history, access logs, and rotation timelines.
Pulumi ESC GitHub Action: Secure Secrets Management in CI/CD
A new GitHub Action for Pulumi ESC enables teams to inject secrets dynamically into GitHub Actions workflows, eliminating the need for storing static credentials. The action can download the Pulumi ESC CLI, inject environment variables from an ESC environment, or selectively apply specific variables, enhancing security and efficiency in CI/CD pipelines.
Granular Access Controls: Enhanced Authorization at Scale
Pulumi has introduced a new Role-Based Access Control (RBAC) system, providing fine-grained access management across Pulumi Cloud. Organizations can define custom roles with specific permissions, apply them to users and teams, and control access to individual resources, including IaC stacks, ESC environments, and Insights accounts. Role-based access tokens further ensure that automated processes only receive necessary permissions. Pulumi RBAC will be available soon.
Policy as Code for Discovered Resources: Unified Governance
Pulumi Insights now extends policy as code capabilities to govern all cloud resources, including those discovered outside of infrastructure as code. This enhancement allows organizations to enforce policies universally across AWS, Azure, OCI, and Kubernetes environments. A dedicated dashboard provides comprehensive visibility into policy violations, enabling quick identification and resolution of non-compliant resources, significantly strengthening cloud security and compliance management.
These enhancements mark a significant step forward in Pulumi’s mission to provide organizations with secure, automated, and policy-driven cloud infrastructure management solutions.
