NATS Account

NATS Account secrets store credentials for authenticating with NATS messaging systems, including NGS (NATS Global Service). Use them for connecting workloads to NATS clusters using NKey-based authentication.

Use Cases

NGS Cloud Access: Connect to Synadia’s global NATS service
NATS Cluster Authentication: Authenticate with self-hosted NATS clusters
Microservice Messaging: Enable pub/sub communication between services
Event-Driven Architecture: Connect event producers and consumers
IoT Message Brokers: Handle high-throughput device messaging

Configuration Options

Field	Description	Required
`accountId`	NATS account public key (starts with `A`)	Yes
`privateKey`	Account private/seed key (starts with `S`)	Yes

NATS NKeys contain embedded checksums and must be generated using official NATS tools. Random strings will not work.

Create a NATS Account Secret

Console UI
CLI
Terraform
Pulumi

Navigate to Secrets

In the Console, navigate to Secrets and click New, or use the Create dropdown in the top-right corner and select Secret.

Enter basic information

Enter a Name and optional Description.

Select secret type

Select NATS Account as the secret type.

Configure NATS credentials

Click Data in the left pane. Enter the Account ID (starts with A) and the Private Key (starts with S).

Create the secret

Click Create.

cpln secret create-nats \
  --name my-nats-account \
  --account-id AXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX \
  --private-key SXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX \
  --org my-org

resource "cpln_secret" "nats_account" {
  name        = "my-nats-account"
  description = "NATS account for messaging service"

  nats_account {
    account_id  = "AXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
    private_key = "SXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
  }
}

This example uses placeholder NKeys for testing. In production, use Terraform variables or a secrets manager.

TypeScript
Python
Go
C#

import * as cpln from "@pulumiverse/cpln";

const natsSecret = new cpln.Secret("my-nats-account", {
  name: "my-nats-account",
  description: "NATS account for messaging service",
  natsAccount: {
    accountId: "AXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
    privateKey: "SXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
  },
});

import pulumiverse_cpln as cpln

nats_secret = cpln.Secret("my-nats-account",
    name="my-nats-account",
    description="NATS account for messaging service",
    nats_account={
        "account_id": "AXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
        "private_key": "SXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
    })

package main

import (
    "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    "github.com/pulumiverse/pulumi-cpln/sdk/go/cpln"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        _, err := cpln.NewSecret(ctx, "my-nats-account", &cpln.SecretArgs{
            Name:        pulumi.String("my-nats-account"),
            Description: pulumi.String("NATS account for messaging service"),
            NatsAccount: &cpln.SecretNatsAccountArgs{
                AccountId:  pulumi.String("AXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"),
                PrivateKey: pulumi.String("SXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"),
            },
        })
        return err
    })
}

using Pulumi;
using Pulumiverse.Cpln;
using Pulumiverse.Cpln.Inputs;

return await Deployment.RunAsync(() =>
{
    var natsSecret = new Secret("my-nats-account", new SecretArgs
    {
        Name = "my-nats-account",
        Description = "NATS account for messaging service",
        NatsAccount = new SecretNatsAccountArgs
        {
            AccountId = "AXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
            PrivateKey = "SXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
        },
    });
});

Using with NGS Cloud Account

For NGS integration, you can also create an NGS Cloud Account which provides managed connectivity. The NATS Account secret type is used for the underlying authentication.

Console UI
CLI
Terraform
Pulumi

Navigate to Cloud Accounts

In the Console, navigate to Cloud Accounts and click New, or use the Create dropdown in the top-right corner and select Cloud Account.

Enter basic information

Enter a Name and optional Description.

Select provider

Select NGS as the cloud provider.

Link the secret

Select your NATS Account secret from the dropdown.

Create the cloud account

Click Create.

cpln cloudaccount create-ngs --name ngs-connection \
  --secret my-nats-account \
  --org my-org

resource "cpln_cloud_account" "ngs" {
  name        = "ngs-connection"
  description = "NGS cloud account"

  ngs {
    secret_link = cpln_secret.nats_account.self_link
  }
}

TypeScript
Python
Go
C#

import * as cpln from "@pulumiverse/cpln";

const ngsCloudAccount = new cpln.CloudAccount("ngs-connection", {
  name: "ngs-connection",
  description: "NGS cloud account",
  ngs: {
    secretLink: natsSecret.selfLink,
  },
});

import pulumiverse_cpln as cpln

ngs_cloud_account = cpln.CloudAccount("ngs-connection",
    name="ngs-connection",
    description="NGS cloud account",
    ngs={
        "secret_link": nats_secret.self_link,
    })

ngsCloudAccount, err := cpln.NewCloudAccount(ctx, "ngs-connection", &cpln.CloudAccountArgs{
    Name:        pulumi.String("ngs-connection"),
    Description: pulumi.String("NGS cloud account"),
    Ngs: &cpln.CloudAccountNgsArgs{
        SecretLink: natsSecret.SelfLink,
    },
})

var ngsCloudAccount = new CloudAccount("ngs-connection", new CloudAccountArgs
{
    Name = "ngs-connection",
    Description = "NGS cloud account",
    Ngs = new CloudAccountNgsArgs
    {
        SecretLink = natsSecret.SelfLink,
    },
});

When using NGS Cloud Accounts, the NATS Account secret provides the authentication credentials, while the Cloud Account resource manages the connection to NGS infrastructure.

Best Practices

Use separate accounts per environment

Create distinct NATS accounts for development, staging, and production to isolate message traffic and credentials.

Implement key rotation

Regularly rotate NATS keys. Generate new keypairs, update the secret, and phase out old keys.

Scope permissions appropriately

Use NATS account permissions to limit which subjects each account can publish to or subscribe from.

Monitor account usage

Track message rates and connection counts per account to detect anomalies or unauthorized access.

How-to Guides

CLI Configuration

Integrations

Configure Resources

Create Resources

Deployment

GitOps

Images

Native Networking

Observability

Workload Access

Use Cases

Configuration Options

Create a NATS Account Secret

Using with NGS Cloud Account

Best Practices

Next Steps

Cloud Accounts

Using Secrets in Workloads

How-to Guides

CLI Configuration

Integrations

Configure Resources

Create Resources

Deployment

GitOps

Images

Native Networking

Observability

Workload Access

​Use Cases

​Configuration Options

​Create a NATS Account Secret

​Using with NGS Cloud Account

​Best Practices

​Next Steps

Cloud Accounts

Using Secrets in Workloads

Use Cases

Configuration Options

Create a NATS Account Secret

Using with NGS Cloud Account

Best Practices

Next Steps