> ## Documentation Index
> Fetch the complete documentation index at: https://docs.controlplane.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Azure SDK

> Create an Azure SDK secret to store service principal credentials for authenticating workloads with Azure services.

Azure SDK secrets store Azure service principal credentials, enabling your workloads to authenticate with Azure services using the Azure SDK. Use them for accessing Azure Storage, Key Vault, Cosmos DB, or any Azure resource.

## Use Cases

* **Azure Storage**: Access Blob Storage, Files, Queues, or Tables
* **Azure Key Vault**: Retrieve secrets, keys, and certificates
* **Azure Cosmos DB**: Connect to Cosmos DB databases
* **Azure Service Bus**: Send and receive messages
* **Any Azure Service**: Authenticate with Azure Resource Manager APIs

## Configuration Options

| Field            | Description                             | Required |
| :--------------- | :-------------------------------------- | :------- |
| `subscriptionId` | Azure subscription ID (GUID)            | Yes      |
| `tenantId`       | Azure AD tenant ID (GUID)               | Yes      |
| `clientId`       | Service principal application ID (GUID) | Yes      |
| `clientSecret`   | Service principal client secret         | Yes      |

<Tip>
  Create a service principal using the Azure CLI: `az ad sp create-for-rbac --name "my-app" --role contributor --scopes /subscriptions/{subscription-id}`

  If you don't have the Azure CLI installed locally, you can run the command in [Azure Cloud Shell](https://shell.azure.com/bash) — a browser-based shell with `az` preinstalled and authenticated against your signed-in account.
</Tip>

***

## Create an Azure SDK Secret

<Tabs>
  <Tab title="Console UI">
    <Steps>
      <Step title="Navigate to Secrets">
        In the Console, navigate to **Secrets** and click **New**, or use the **Create** dropdown in the top-right corner and select **Secret**.
      </Step>

      <Step title="Enter basic information">
        Enter a **Name** and optional **Description**.
      </Step>

      <Step title="Select secret type">
        Select **Azure-SDK** as the secret type.
      </Step>

      <Step title="Configure credentials">
        Click **Data** in the left pane. Enter the **Azure SDK Secret Data** (JSON format), or drag and drop a file / click to import.
      </Step>

      <Step title="Create the secret">
        Click **Create**.
      </Step>
    </Steps>
  </Tab>

  <Tab title="CLI">
    Create a file named `azure-credentials.json`:

    ```json theme={null}
    {
      "subscriptionId": "00000000-0000-0000-0000-000000000000",
      "tenantId": "00000000-0000-0000-0000-000000000000",
      "clientId": "00000000-0000-0000-0000-000000000000",
      "clientSecret": "your-client-secret-value"
    }
    ```

    Then create the secret:

    ```bash theme={null}
    cpln secret create-azure-sdk \
      --name azure-sdk-credentials \
      --file azure-credentials.json \
      --org my-org
    ```
  </Tab>

  <Tab title="Terraform">
    ```hcl theme={null}
    resource "cpln_secret" "azure_sdk" {
      name        = "azure-sdk-credentials"
      description = "Azure service principal credentials"

      azure_sdk = jsonencode({
        subscriptionId = "00000000-0000-0000-0000-000000000000"
        tenantId       = "00000000-0000-0000-0000-000000000000"
        clientId       = "00000000-0000-0000-0000-000000000000"
        clientSecret   = "your-client-secret-value"
      })
    }
    ```

    <Warning>
      This example uses placeholder credentials for testing. In production, use Terraform variables or integrate with Azure Key Vault.
    </Warning>
  </Tab>

  <Tab title="Pulumi">
    <Tabs>
      <Tab title="TypeScript">
        ```typescript theme={null}
        import * as cpln from "@pulumiverse/cpln";

        const azureSdkSecret = new cpln.Secret("azure-sdk-credentials", {
          name: "azure-sdk-credentials",
          description: "Azure service principal credentials",
          azureSdk: JSON.stringify({
            subscriptionId: "00000000-0000-0000-0000-000000000000",
            tenantId: "00000000-0000-0000-0000-000000000000",
            clientId: "00000000-0000-0000-0000-000000000000",
            clientSecret: "your-client-secret-value",
          }),
        });
        ```
      </Tab>

      <Tab title="Python">
        ```python theme={null}
        import json
        import pulumiverse_cpln as cpln

        azure_sdk_secret = cpln.Secret("azure-sdk-credentials",
            name="azure-sdk-credentials",
            description="Azure service principal credentials",
            azure_sdk=json.dumps({
                "subscriptionId": "00000000-0000-0000-0000-000000000000",
                "tenantId": "00000000-0000-0000-0000-000000000000",
                "clientId": "00000000-0000-0000-0000-000000000000",
                "clientSecret": "your-client-secret-value",
            }))
        ```
      </Tab>

      <Tab title="Go">
        ```go theme={null}
        package main

        import (
            "encoding/json"
            "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
            "github.com/pulumiverse/pulumi-cpln/sdk/go/cpln"
        )

        func main() {
            pulumi.Run(func(ctx *pulumi.Context) error {
                azureConfig, _ := json.Marshal(map[string]string{
                    "subscriptionId": "00000000-0000-0000-0000-000000000000",
                    "tenantId":       "00000000-0000-0000-0000-000000000000",
                    "clientId":       "00000000-0000-0000-0000-000000000000",
                    "clientSecret":   "your-client-secret-value",
                })

                _, err := cpln.NewSecret(ctx, "azure-sdk-credentials", &cpln.SecretArgs{
                    Name:        pulumi.String("azure-sdk-credentials"),
                    Description: pulumi.String("Azure service principal credentials"),
                    AzureSdk:    pulumi.String(string(azureConfig)),
                })
                return err
            })
        }
        ```
      </Tab>

      <Tab title="C#">
        ```csharp theme={null}
        using System.Text.Json;
        using Pulumi;
        using Pulumiverse.Cpln;
        using Pulumiverse.Cpln.Inputs;

        return await Deployment.RunAsync(() =>
        {
            var azureConfig = JsonSerializer.Serialize(new
            {
                subscriptionId = "00000000-0000-0000-0000-000000000000",
                tenantId = "00000000-0000-0000-0000-000000000000",
                clientId = "00000000-0000-0000-0000-000000000000",
                clientSecret = "your-client-secret-value",
            });

            var azureSdkSecret = new Secret("azure-sdk-credentials", new SecretArgs
            {
                Name = "azure-sdk-credentials",
                Description = "Azure service principal credentials",
                AzureSdk = azureConfig,
            });
        });
        ```
      </Tab>
    </Tabs>
  </Tab>
</Tabs>

***

## Creating a Service Principal

Use the Azure CLI to create a service principal. If you don't have the Azure CLI installed locally, you can run the command in [Azure Cloud Shell](https://shell.azure.com/bash) without a local install:

```bash theme={null}
# Create service principal with Contributor role
az ad sp create-for-rbac \
  --name "my-control-plane-app" \
  --role contributor \
  --scopes /subscriptions/{subscription-id}

# Output includes:
# {
#   "appId": "00000000-0000-0000-0000-000000000000",      <- clientId
#   "displayName": "my-control-plane-app",
#   "password": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",   <- clientSecret
#   "tenant": "00000000-0000-0000-0000-000000000000"      <- tenantId
# }
```

<Note>
  Use the principle of least privilege. Assign only the roles your workload needs, scoped to specific resources when possible.
</Note>

***

## Next Steps

<CardGroup cols={2}>
  <Card title="Using Secrets in Workloads" icon="cube" href="/guides/create-secret/overview#using-secrets-in-workloads">
    Learn how to grant access and inject secrets
  </Card>

  <Card title="Azure Connector" icon="microsoft" href="/guides/create-secret/azure-connector">
    Connect to Azure Function Apps
  </Card>
</CardGroup>
