1. Docs
  2. Pulumi ESC
  3. Integrations
  4. Dynamic secrets
  5. azure-secrets

azure-secrets

    The azure-secrets provider enables you to dynamically import Secrets and Configuration from Azure Key Vault into your Environment. The provider will return a map of names to Secrets.

    Example

      azure:
        login:
          fn::open::azure-login:
            clientId: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
            tenantId: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
            subscriptionId: /subscriptions/00000000-0000-0000-0000-000000000000
            oidc: true
        secrets:
          fn::open::azure-secrets:
            login: ${azure.login}
            vault: example-vault-name
            get:
              api-key:
                name: api-key
              app-secret:
                name: app-secret
    

    Configuring OIDC

    To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and Azure, see the OpenID Connect integration documentation. Once you have completed these steps, you can validate that your configuration is working by running either of the following:

    • esc open <your-org>/<your-environment> command of the Pulumi ESC CLI
    • pulumi env open <your-org>/<your-environment> command of the Pulumi CLI

    Make sure to replace <your-org> and <your-environment> with the values of your Pulumi organization and environment file respectively. You should see output similar to the following:

    {
      "azure": {
        "login": {
          "clientId": "b537....",
          "oidc": {
            "token": "eyJh...."
          },
          "subscriptionId": "0282....",
          "tenantId": "7061...."
        },
        "secrets": {
          "api-key": "my-api-key",
          "app-secret": "my-app-secret"
        }
      }
    }
    

    Inputs

    PropertyTypeDescription
    loginAzureSecretsLoginCredentials used to log in to Azure.
    vaultstringThe vault to read from.
    getmap[string]AzureSecretsGetA map from names to secrets to read from Azure Key Vault. The outputs will map each name to the secret’s sensitive data.

    AzureSecretsLogin

    PropertyTypeDescription
    clientIdstringThe configured client ID
    tenantIdstringThe configured tenant ID
    subscriptionIdstringThe configured subscription ID
    clientSecretstring[Optional] - The client secret used for authentication, if any.
    oidcAzureLoginOIDC[Optional] - OIDC-related data, if OIDC is used for authentication.

    AzureLoginOIDC

    PropertyTypeDescription
    tokenstringThe OIDC token to use for authentication.

    AzureSecretsGet

    PropertyTypeDescription
    namestringThe name of the secret to import.
    versionstring[Optional] - The version of the secret to import.

    Outputs

    PropertyTypeDescription
    N/AobjectA map of names to imported Secrets.
      PulumiUP 2024. Watch On Demand.