Skip to main content
  1. Docs
  2. Secrets & Configuration
  3. Providers
  4. Secrets & config
  5. azure-secrets

azure-secrets

    The azure-secrets provider enables you to dynamically import Secrets and Configuration from Azure Key Vault into your Environment. The provider will return a map of names to Secrets.

    Example

    values:
      azure:
        login:
          fn::open::azure-login:
            clientId: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
            tenantId: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
            subscriptionId: /subscriptions/00000000-0000-0000-0000-000000000000
            oidc: true
        secrets:
          fn::open::azure-secrets:
            login: ${azure.login}
            vault: example-vault-name
            get:
              api-key:
                name: api-key
              app-secret:
                name: app-secret
      pulumiConfig:
        apiKey: ${azure.secrets.api-key}
        appSecret: ${azure.secrets.app-secret}
    

    Schema reference

    Reference schemas last updated on 2026-07-11, synced automatically from the Pulumi Cloud ESC API.

    Inputs

    • get map[string]AzureSecretsGet required
      A map from names to secrets to read from Azure Key Vault. The outputs will map each name to the secret’s sensitive data.
    • name string required
      The name of the secret to access.
    • version string optional
      The secret version to access.
    • login object required
      The credentials to use to get secrets.
    • clientId string required
      The client ID to use.
    • clientSecret string optional
      The client secret to use for authentication, if any.
    • oidc object optional
      OIDC-related data, if OIDC is used for authentication.
    • token string required
      The OIDC token to use for authentication.
    • subscriptionId string optional
      The subscription ID to use.
    • tenantId string required
      The tenant ID to use.
    • vault string required
      The vault to read from

    Outputs

    A map from names to secret values.

    Type: map[string]string

    Configuring OIDC

    To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and Azure, see the OpenID Connect integration documentation. Once you have completed these steps, you can validate that your configuration is working by running either of the following:

    • pulumi env open <org>/<project>/<environment> command of the Pulumi CLI
    • pulumi env open <org>/<project>/<environment> command of the Pulumi CLI

    Make sure to replace <org>, <project>, and <environment> with the values of your Pulumi organization and environment identifier respectively. You should see output similar to the following:

    {
      "azure": {
        "login": {
          "clientId": "b537....",
          "oidc": {
            "token": "eyJh...."
          },
          "subscriptionId": "0282....",
          "tenantId": "7061...."
        },
        "secrets": {
          "api-key": "my-api-key",
          "app-secret": "my-app-secret"
        }
      }
    }