Azure SDK secrets store Azure service principal credentials, enabling your workloads to authenticate with Azure services using the Azure SDK. Use them for accessing Azure Storage, Key Vault, Cosmos DB, or any Azure resource.
Use Cases
- Azure Storage: Access Blob Storage, Files, Queues, or Tables
- Azure Key Vault: Retrieve secrets, keys, and certificates
- Azure Cosmos DB: Connect to Cosmos DB databases
- Azure Service Bus: Send and receive messages
- Any Azure Service: Authenticate with Azure Resource Manager APIs
Configuration Options
| Field | Description | Required |
|---|
subscriptionId | Azure subscription ID (GUID) | Yes |
tenantId | Azure AD tenant ID (GUID) | Yes |
clientId | Service principal application ID (GUID) | Yes |
clientSecret | Service principal client secret | Yes |
Create a service principal using the Azure CLI: az ad sp create-for-rbac --name "my-app" --role contributor --scopes /subscriptions/{subscription-id}
Create an Azure SDK Secret
Console UI
CLI
Terraform
Pulumi
Navigate to Secrets
In the Console, navigate to Secrets and click New, or use the Create dropdown in the top-right corner and select Secret.
Enter basic information
Enter a Name and optional Description.
Select secret type
Select Azure-SDK as the secret type.
Configure credentials
Click Data in the left pane. Enter the Azure SDK Secret Data (JSON format), or drag and drop a file / click to import.
Create the secret
Click Create.
Create a file named azure-credentials.json:{
"subscriptionId": "00000000-0000-0000-0000-000000000000",
"tenantId": "00000000-0000-0000-0000-000000000000",
"clientId": "00000000-0000-0000-0000-000000000000",
"clientSecret": "your-client-secret-value"
}
cpln secret create-azure-sdk \
--name azure-sdk-credentials \
--file azure-credentials.json \
--org my-org
resource "cpln_secret" "azure_sdk" {
name = "azure-sdk-credentials"
description = "Azure service principal credentials"
azure_sdk = jsonencode({
subscriptionId = "00000000-0000-0000-0000-000000000000"
tenantId = "00000000-0000-0000-0000-000000000000"
clientId = "00000000-0000-0000-0000-000000000000"
clientSecret = "your-client-secret-value"
})
}
This example uses placeholder credentials for testing. In production, use Terraform variables or integrate with Azure Key Vault.
import * as cpln from "@pulumiverse/cpln";
const azureSdkSecret = new cpln.Secret("azure-sdk-credentials", {
name: "azure-sdk-credentials",
description: "Azure service principal credentials",
azureSdk: JSON.stringify({
subscriptionId: "00000000-0000-0000-0000-000000000000",
tenantId: "00000000-0000-0000-0000-000000000000",
clientId: "00000000-0000-0000-0000-000000000000",
clientSecret: "your-client-secret-value",
}),
});
import json
import pulumiverse_cpln as cpln
azure_sdk_secret = cpln.Secret("azure-sdk-credentials",
name="azure-sdk-credentials",
description="Azure service principal credentials",
azure_sdk=json.dumps({
"subscriptionId": "00000000-0000-0000-0000-000000000000",
"tenantId": "00000000-0000-0000-0000-000000000000",
"clientId": "00000000-0000-0000-0000-000000000000",
"clientSecret": "your-client-secret-value",
}))
package main
import (
"encoding/json"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumiverse/pulumi-cpln/sdk/go/cpln"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
azureConfig, _ := json.Marshal(map[string]string{
"subscriptionId": "00000000-0000-0000-0000-000000000000",
"tenantId": "00000000-0000-0000-0000-000000000000",
"clientId": "00000000-0000-0000-0000-000000000000",
"clientSecret": "your-client-secret-value",
})
_, err := cpln.NewSecret(ctx, "azure-sdk-credentials", &cpln.SecretArgs{
Name: pulumi.String("azure-sdk-credentials"),
Description: pulumi.String("Azure service principal credentials"),
AzureSdk: pulumi.String(string(azureConfig)),
})
return err
})
}
using System.Text.Json;
using Pulumi;
using Pulumiverse.Cpln;
using Pulumiverse.Cpln.Inputs;
return await Deployment.RunAsync(() =>
{
var azureConfig = JsonSerializer.Serialize(new
{
subscriptionId = "00000000-0000-0000-0000-000000000000",
tenantId = "00000000-0000-0000-0000-000000000000",
clientId = "00000000-0000-0000-0000-000000000000",
clientSecret = "your-client-secret-value",
});
var azureSdkSecret = new Secret("azure-sdk-credentials", new SecretArgs
{
Name = "azure-sdk-credentials",
Description = "Azure service principal credentials",
AzureSdk = azureConfig,
});
});
Creating a Service Principal
Use the Azure CLI to create a service principal:
# Create service principal with Contributor role
az ad sp create-for-rbac \
--name "my-control-plane-app" \
--role contributor \
--scopes /subscriptions/{subscription-id}
# Output includes:
# {
# "appId": "00000000-0000-0000-0000-000000000000", <- clientId
# "displayName": "my-control-plane-app",
# "password": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", <- clientSecret
# "tenant": "00000000-0000-0000-0000-000000000000" <- tenantId
# }
Use the principle of least privilege. Assign only the roles your workload needs, scoped to specific resources when possible.
Next Steps
