Azure SDK

Azure SDK secrets store Azure service principal credentials, enabling your workloads to authenticate with Azure services using the Azure SDK. Use them for accessing Azure Storage, Key Vault, Cosmos DB, or any Azure resource.

Use Cases

Azure Storage: Access Blob Storage, Files, Queues, or Tables
Azure Key Vault: Retrieve secrets, keys, and certificates
Azure Cosmos DB: Connect to Cosmos DB databases
Azure Service Bus: Send and receive messages
Any Azure Service: Authenticate with Azure Resource Manager APIs

Configuration Options

Field	Description	Required
`subscriptionId`	Azure subscription ID (GUID)	Yes
`tenantId`	Azure AD tenant ID (GUID)	Yes
`clientId`	Service principal application ID (GUID)	Yes
`clientSecret`	Service principal client secret	Yes

Create a service principal using the Azure CLI: az ad sp create-for-rbac --name "my-app" --role contributor --scopes /subscriptions/{subscription-id}If you don’t have the Azure CLI installed locally, you can run the command in Azure Cloud Shell — a browser-based shell with az preinstalled and authenticated against your signed-in account.

Create an Azure SDK Secret

Console UI
CLI
Terraform
Pulumi

Navigate to Secrets

In the Console, navigate to Secrets and click New, or use the Create dropdown in the top-right corner and select Secret.

Enter basic information

Enter a Name and optional Description.

Select secret type

Select Azure-SDK as the secret type.

Configure credentials

Click Data in the left pane. Enter the Azure SDK Secret Data (JSON format), or drag and drop a file / click to import.

Create the secret

Click Create.

Create a file named azure-credentials.json:

{
  "subscriptionId": "00000000-0000-0000-0000-000000000000",
  "tenantId": "00000000-0000-0000-0000-000000000000",
  "clientId": "00000000-0000-0000-0000-000000000000",
  "clientSecret": "your-client-secret-value"
}

Then create the secret:

cpln secret create-azure-sdk \
  --name azure-sdk-credentials \
  --file azure-credentials.json \
  --org my-org

resource "cpln_secret" "azure_sdk" {
  name        = "azure-sdk-credentials"
  description = "Azure service principal credentials"

  azure_sdk = jsonencode({
    subscriptionId = "00000000-0000-0000-0000-000000000000"
    tenantId       = "00000000-0000-0000-0000-000000000000"
    clientId       = "00000000-0000-0000-0000-000000000000"
    clientSecret   = "your-client-secret-value"
  })
}

This example uses placeholder credentials for testing. In production, use Terraform variables or integrate with Azure Key Vault.

TypeScript
Python
Go
C#

import * as cpln from "@pulumiverse/cpln";

const azureSdkSecret = new cpln.Secret("azure-sdk-credentials", {
  name: "azure-sdk-credentials",
  description: "Azure service principal credentials",
  azureSdk: JSON.stringify({
    subscriptionId: "00000000-0000-0000-0000-000000000000",
    tenantId: "00000000-0000-0000-0000-000000000000",
    clientId: "00000000-0000-0000-0000-000000000000",
    clientSecret: "your-client-secret-value",
  }),
});

import json
import pulumiverse_cpln as cpln

azure_sdk_secret = cpln.Secret("azure-sdk-credentials",
    name="azure-sdk-credentials",
    description="Azure service principal credentials",
    azure_sdk=json.dumps({
        "subscriptionId": "00000000-0000-0000-0000-000000000000",
        "tenantId": "00000000-0000-0000-0000-000000000000",
        "clientId": "00000000-0000-0000-0000-000000000000",
        "clientSecret": "your-client-secret-value",
    }))

package main

import (
    "encoding/json"
    "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    "github.com/pulumiverse/pulumi-cpln/sdk/go/cpln"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        azureConfig, _ := json.Marshal(map[string]string{
            "subscriptionId": "00000000-0000-0000-0000-000000000000",
            "tenantId":       "00000000-0000-0000-0000-000000000000",
            "clientId":       "00000000-0000-0000-0000-000000000000",
            "clientSecret":   "your-client-secret-value",
        })

        _, err := cpln.NewSecret(ctx, "azure-sdk-credentials", &cpln.SecretArgs{
            Name:        pulumi.String("azure-sdk-credentials"),
            Description: pulumi.String("Azure service principal credentials"),
            AzureSdk:    pulumi.String(string(azureConfig)),
        })
        return err
    })
}

using System.Text.Json;
using Pulumi;
using Pulumiverse.Cpln;
using Pulumiverse.Cpln.Inputs;

return await Deployment.RunAsync(() =>
{
    var azureConfig = JsonSerializer.Serialize(new
    {
        subscriptionId = "00000000-0000-0000-0000-000000000000",
        tenantId = "00000000-0000-0000-0000-000000000000",
        clientId = "00000000-0000-0000-0000-000000000000",
        clientSecret = "your-client-secret-value",
    });

    var azureSdkSecret = new Secret("azure-sdk-credentials", new SecretArgs
    {
        Name = "azure-sdk-credentials",
        Description = "Azure service principal credentials",
        AzureSdk = azureConfig,
    });
});

Creating a Service Principal

Use the Azure CLI to create a service principal. If you don’t have the Azure CLI installed locally, you can run the command in Azure Cloud Shell without a local install:

# Create service principal with Contributor role
az ad sp create-for-rbac \
  --name "my-control-plane-app" \
  --role contributor \
  --scopes /subscriptions/{subscription-id}

# Output includes:
# {
#   "appId": "00000000-0000-0000-0000-000000000000",      <- clientId
#   "displayName": "my-control-plane-app",
#   "password": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",   <- clientSecret
#   "tenant": "00000000-0000-0000-0000-000000000000"      <- tenantId
# }

Use the principle of least privilege. Assign only the roles your workload needs, scoped to specific resources when possible.

Use Cases

Configuration Options

Create an Azure SDK Secret

Creating a Service Principal

Next Steps

Using Secrets in Workloads

Azure Connector

​Use Cases

​Configuration Options

​Create an Azure SDK Secret

​Creating a Service Principal

​Next Steps

Using Secrets in Workloads

Azure Connector

Use Cases

Configuration Options

Create an Azure SDK Secret

Creating a Service Principal

Next Steps