Pulumi ESC vs Vault — when and how should I migrate?
Choose where to centralize dynamic secrets and environment projection after HCP Vault Secrets retirement forces a replacement decision in 2026.
Blockers
- package/hcp-vault-secrets — EOL 2026-07-01
- package/vault-secrets-operator incompatible with package/hcp-vault-secrets
Who this is for
- low-ops
- cost-sensitive
- enterprise
Candidates
Pulumi ESC
Pulumi ESC is an environments, secrets, and configuration layer with native environment projection, dynamic environment variables, dynamic login credentials, dynamic secrets providers, and rotated secrets. As of 2026-04-05, Pulumi's pricing page lists Individual with 25 free secrets and 10K free API calls per month, Team at $40/month with secrets billed at $0.000685/hour ($0.50/month) and API calls at $0.10 per 10K, and Enterprise at $400/month with secrets billed at $0.001/hour ($0.75/month). ESC also documents direct integration with HashiCorp Vault as a dynamic secrets source, which means it can sit above other secret stores instead of replacing them outright. Its main differentiator for this decision is that it combines secret retrieval with reusable environment composition and command/runtime injection.
When to choose
Use this when you want low-ops centralization around projected environments, CLI and CI injection, and predictable self-serve pricing without standing up Vault operations. It is the better default if the immediate replacement for HCP Vault Secrets also needs developer-friendly environment composition, not just a secret backend.
Tradeoffs
Strong on environment projection, composable configs, and simple adoption. Weaker if your primary requirement is deep secret-engine breadth, advanced Vault-style policy modeling, or broader certificate and key-management workflows.
Cautions
Do not treat ESC as a drop-in HCP Vault Secrets migration target for every Vault-native workflow. If you already depend on Vault-specific agents, policies, namespaces, or Kubernetes operator patterns, ESC may fit better as a control plane over other stores than as the only secret system.
HashiCorp Vault
Vault remains supported in Community, Enterprise, and HCP after the HCP Vault Secrets sunset. As of 2026-04-05, Vault docs show v1.21.x as the latest documentation line, Vault Community can be downloaded as a binary, and Enterprise features require a valid license; HCP Vault Dedicated is the managed offering using the same Vault Enterprise binary. HashiCorp's HCP Vault Secrets migration guide says the move changes core concepts: HCP apps become Vault secrets engines, HCP IAM roles become Vault policies, HCP projects map to namespaces, and integrations shift toward Vault Agent, Vault Proxy, or Vault Secrets Operator. Vault's key differentiator is first-class dynamic secret engines for AWS, Azure, databases, and broader enterprise security workflows.
When to choose
Use this when dynamic secret issuance and Vault-native controls are the center of the design, especially for compliance-heavy or Kubernetes-heavy estates. It is the safer choice if you need the replacement to preserve long-term compatibility with Vault policies, agents, namespaces, and secrets engines rather than prioritizing environment projection UX.
Tradeoffs
Best feature depth for dynamic secrets and policy-driven secret distribution, but materially higher operational and migration complexity. Community reduces license cost but adds self-management burden; HCP Vault Dedicated removes some ops work but official pricing should be checked directly with HashiCorp.
Cautions
As of 2026-04-05, HCP Vault Secrets end-of-sale has already occurred, and end-of-life is the earlier of Flex contract expiry or July 1, 2026. HashiCorp also states Vault Secrets Operator support for HCP Vault Secrets is removed on July 1, 2026, so Kubernetes sync users cannot defer migration planning. HCP Vault Dedicated Starter was already discontinued on August 15, 2025, so evaluate current Development, Essentials, or Standard plans instead.
Try with your AI agent
$ npm install -g pocketlantern $ pocketlantern init # Restart Claude Code, Cursor, or your MCP client, then ask: # "Pulumi ESC vs Vault — when and how should I migrate?"