azure-secrets
The azure-secrets provider enables you to dynamically import Secrets and Configuration from Azure Key Vault into your Environment. The provider will return a map of names to Secrets.
Example
values:
azure:
login:
fn::open::azure-login:
clientId: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
tenantId: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
subscriptionId: /subscriptions/00000000-0000-0000-0000-000000000000
oidc: true
secrets:
fn::open::azure-secrets:
login: ${azure.login}
vault: example-vault-name
get:
api-key:
name: api-key
app-secret:
name: app-secret
pulumiConfig:
apiKey: ${azure.secrets.api-key}
appSecret: ${azure.secrets.app-secret}
Schema reference
Reference schemas last updated on 2026-07-11, synced automatically from the Pulumi Cloud ESC API.
Inputs
getmap[string]AzureSecretsGet requiredA map from names to secrets to read from Azure Key Vault. The outputs will map each name to the secret’s sensitive data.- ↳
namestring requiredThe name of the secret to access. - ↳
versionstring optionalThe secret version to access. loginobject requiredThe credentials to use to get secrets.- ↳
clientIdstring requiredThe client ID to use. - ↳
clientSecretstring optionalThe client secret to use for authentication, if any. - ↳
oidcobject optionalOIDC-related data, if OIDC is used for authentication. - ↳
tokenstring requiredThe OIDC token to use for authentication. - ↳
subscriptionIdstring optionalThe subscription ID to use. - ↳
tenantIdstring requiredThe tenant ID to use. vaultstring requiredThe vault to read from
Outputs
A map from names to secret values.
Type: map[string]string
Configuring OIDC
To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and Azure, see the OpenID Connect integration documentation. Once you have completed these steps, you can validate that your configuration is working by running either of the following:
pulumi env open <org>/<project>/<environment>command of the Pulumi CLIpulumi env open <org>/<project>/<environment>command of the Pulumi CLI
Make sure to replace <org>, <project>, and <environment> with the values of your Pulumi organization and environment identifier respectively. You should see output similar to the following:
{
"azure": {
"login": {
"clientId": "b537....",
"oidc": {
"token": "eyJh...."
},
"subscriptionId": "0282....",
"tenantId": "7061...."
},
"secrets": {
"api-key": "my-api-key",
"app-secret": "my-app-secret"
}
}
}