1. Docs
  2. Secrets & Configuration
  3. Integrations
  4. Rotated Secrets
  5. azure-app-secret

azure-app-secret

    The azure-app-secret rotator enables you to rotate client secrets for an Azure app registration in your Environment. Check out the azure-login documentation to learn more about authenticating with Azure.

    Example

    # my-org/logins/production
values:
  azure:
    login:
      fn::open::azure-login:
        clientId: <your-client-id>
        tenantId: <your-tenant-id>
        subscriptionId: <your-subscription-id>
        oidc: true

    # my-org/rotators/secret-rotator
values:
  appSecret:
    fn::rotate::azure-app-secret:
      inputs:
        login: ${environments.logins.production.azure.login}
        clientId: <target-app-client-id>
        lifetimeInDays: 180

    If you have an existing client secret you want ESC to keep track of, you can optionally provide an initial state.

    # my-org/rotators/secret-rotator
values:
  appSecret:
    fn::rotate::azure-app-secret:
      inputs:
        login: ${environments.logins.production.azure.login}
        clientId: <target-app-client-id>
      state:
        current:
          secretId: <secret-id>
          secretValue:
            fn::secret: <secret-value>

    Configuring OIDC

    To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and Azure, see the OpenID Connect integration documentation. Once you have completed these steps, you can validate that your configuration is working by running either of the following:

    • esc open <org>/<project>/<environment> command of the Pulumi ESC CLI
    • pulumi env open <org>/<project>/<environment> command of the Pulumi CLI

    Make sure to replace <org>, <project>, and <environment> with the values of your Pulumi organization and environment identifier respectively. You should see output similar to the following:

    {
  "azure": {
    "login": {
      "clientId": "b537....",
      "clientSecret": "[secret]",
      "subscriptionId": "0282....",
      "tenantId": "7060...."
    }
  },
  "appSecret": {
    "current": {
      "secretValue": "[secret]",
      "secretId": "a1b2c3d4-...",
      "createdAt": "2025-01-01T12:00:00Z",
      "expiresAt": "2025-07-01T12:00:00Z"
    },
    "previous": {
      "secretValue": "[secret]",
      "secretId": "e5f6g7h8-...",
      "createdAt": "2024-07-01T12:00:00Z",
      "expiresAt": "2025-01-01T12:00:00Z"
    }
  }
}

    Permissions

    The Azure identity used for rotation must have the following Microsoft Graph API permissions:

    • Application.ReadWrite.All - to read applications and manage their client secrets

    Alternatively, the identity can be added as an Owner of the specific app registration whose secrets will be rotated.

    Inputs

    PropertyTypeDescription
    loginAzureLoginThe credentials to use to log in to Azure.
    clientIdstringThe Application (client) ID of the app registration whose secret should be rotated.
    lifetimeInDaysnumber[Optional] - The number of days the secret should be valid. Defaults to 180. Maximum is 730.

    State (Optional)

    PropertyTypeDescription
    currentAzureAppSecretOutputs[Optional] - Current credential information. These are the newest and recommended credentials.
    previousAzureAppSecretOutputs[Optional] - Previous credential information. These credentials are still valid, but will be phased out next rotation.

    AzureLogin

    PropertyTypeDescription
    clientIdstringThe client ID to use.
    tenantIdstringThe tenant ID to use.
    subscriptionIdstringThe subscription ID to use.
    clientSecretstring[Optional] - The client secret to use for authentication.
    oidcobject[Optional] - OIDC-related data, if OIDC is used for authentication.

    Outputs

    PropertyTypeDescription
    currentAzureAppSecretOutputsCurrent credential information. These are the newest and recommended credentials.
    previousAzureAppSecretOutputsPrevious credential information. These credentials are still valid, but will be phased out next rotation.

    AzureAppSecretOutputs

    PropertyTypeDescription
    secretIdstringThe secret ID.
    secretValuestringThe client secret value, stored as a secret.
    createdAtstring[Optional] - The creation timestamp of the secret (RFC3339).
    expiresAtstring[Optional] - The expiration timestamp of the secret (RFC3339).