> ## Documentation Index
> Fetch the complete documentation index at: https://docs.controlplane.com/llms.txt
> Use this file to discover all available pages before exploring further.

# NATS Account

> Create a NATS Account secret to store NKey-based credentials for authenticating workloads with NATS clusters or NGS.

NATS Account secrets store credentials for authenticating with NATS messaging systems, including [NGS (NATS Global Service)](https://synadia.com/ngs). Use them for connecting workloads to NATS clusters using NKey-based authentication.

## Use Cases

* **NGS Cloud Access**: Connect to Synadia's global NATS service
* **NATS Cluster Authentication**: Authenticate with self-hosted NATS clusters
* **Microservice Messaging**: Enable pub/sub communication between services
* **Event-Driven Architecture**: Connect event producers and consumers
* **IoT Message Brokers**: Handle high-throughput device messaging

## Configuration Options

| Field        | Description                                | Required |
| :----------- | :----------------------------------------- | :------- |
| `accountId`  | NATS account public key (starts with `A`)  | Yes      |
| `privateKey` | Account private/seed key (starts with `S`) | Yes      |

<Warning>
  NATS NKeys contain embedded checksums and must be generated using official NATS tools. Random strings will not work.
</Warning>

***

## Create a NATS Account Secret

<Tabs>
  <Tab title="Console UI">
    <Steps>
      <Step title="Navigate to Secrets">
        In the Console, navigate to **Secrets** and click **New**, or use the **Create** dropdown in the top-right corner and select **Secret**.
      </Step>

      <Step title="Enter basic information">
        Enter a **Name** and optional **Description**.
      </Step>

      <Step title="Select secret type">
        Select **NATS Account** as the secret type.
      </Step>

      <Step title="Configure NATS credentials">
        Click **Data** in the left pane. Enter the **Account ID** (starts with `A`) and the **Private Key** (starts with `S`).
      </Step>

      <Step title="Create the secret">
        Click **Create**.
      </Step>
    </Steps>
  </Tab>

  <Tab title="CLI">
    ```bash theme={null}
    cpln secret create-nats \
      --name my-nats-account \
      --account-id AXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX \
      --private-key SXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX \
      --org my-org
    ```
  </Tab>

  <Tab title="Terraform">
    ```hcl theme={null}
    resource "cpln_secret" "nats_account" {
      name        = "my-nats-account"
      description = "NATS account for messaging service"

      nats_account {
        account_id  = "AXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        private_key = "SXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
      }
    }
    ```

    <Warning>
      This example uses placeholder NKeys for testing. In production, use Terraform variables or a secrets manager.
    </Warning>
  </Tab>

  <Tab title="Pulumi">
    <Tabs>
      <Tab title="TypeScript">
        ```typescript theme={null}
        import * as cpln from "@pulumiverse/cpln";

        const natsSecret = new cpln.Secret("my-nats-account", {
          name: "my-nats-account",
          description: "NATS account for messaging service",
          natsAccount: {
            accountId: "AXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
            privateKey: "SXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
          },
        });
        ```
      </Tab>

      <Tab title="Python">
        ```python theme={null}
        import pulumiverse_cpln as cpln

        nats_secret = cpln.Secret("my-nats-account",
            name="my-nats-account",
            description="NATS account for messaging service",
            nats_account={
                "account_id": "AXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
                "private_key": "SXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
            })
        ```
      </Tab>

      <Tab title="Go">
        ```go theme={null}
        package main

        import (
            "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
            "github.com/pulumiverse/pulumi-cpln/sdk/go/cpln"
        )

        func main() {
            pulumi.Run(func(ctx *pulumi.Context) error {
                _, err := cpln.NewSecret(ctx, "my-nats-account", &cpln.SecretArgs{
                    Name:        pulumi.String("my-nats-account"),
                    Description: pulumi.String("NATS account for messaging service"),
                    NatsAccount: &cpln.SecretNatsAccountArgs{
                        AccountId:  pulumi.String("AXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"),
                        PrivateKey: pulumi.String("SXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"),
                    },
                })
                return err
            })
        }
        ```
      </Tab>

      <Tab title="C#">
        ```csharp theme={null}
        using Pulumi;
        using Pulumiverse.Cpln;
        using Pulumiverse.Cpln.Inputs;

        return await Deployment.RunAsync(() =>
        {
            var natsSecret = new Secret("my-nats-account", new SecretArgs
            {
                Name = "my-nats-account",
                Description = "NATS account for messaging service",
                NatsAccount = new SecretNatsAccountArgs
                {
                    AccountId = "AXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
                    PrivateKey = "SXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
                },
            });
        });
        ```
      </Tab>
    </Tabs>
  </Tab>
</Tabs>

***

## Using with NGS Cloud Account

For NGS integration, you can also create an NGS [Cloud Account](/reference/cloudaccount) which provides managed connectivity. The NATS Account secret type is used for the underlying authentication.

<Tabs>
  <Tab title="Console UI">
    <Steps>
      <Step title="Navigate to Cloud Accounts">
        In the Console, navigate to **Cloud Accounts** and click **New**, or use the **Create** dropdown in the top-right corner and select **Cloud Account**.
      </Step>

      <Step title="Enter basic information">
        Enter a **Name** and optional **Description**.
      </Step>

      <Step title="Select provider">
        Select **NGS** as the cloud provider.
      </Step>

      <Step title="Link the secret">
        Select your NATS Account secret from the dropdown.
      </Step>

      <Step title="Create the cloud account">
        Click **Create**.
      </Step>
    </Steps>
  </Tab>

  <Tab title="CLI">
    ```bash theme={null}
    cpln cloudaccount create-ngs --name ngs-connection \
      --secret my-nats-account \
      --org my-org
    ```
  </Tab>

  <Tab title="Terraform">
    ```hcl theme={null}
    resource "cpln_cloud_account" "ngs" {
      name        = "ngs-connection"
      description = "NGS cloud account"

      ngs {
        secret_link = cpln_secret.nats_account.self_link
      }
    }
    ```
  </Tab>

  <Tab title="Pulumi">
    <Tabs>
      <Tab title="TypeScript">
        ```typescript theme={null}
        import * as cpln from "@pulumiverse/cpln";

        const ngsCloudAccount = new cpln.CloudAccount("ngs-connection", {
          name: "ngs-connection",
          description: "NGS cloud account",
          ngs: {
            secretLink: natsSecret.selfLink,
          },
        });
        ```
      </Tab>

      <Tab title="Python">
        ```python theme={null}
        import pulumiverse_cpln as cpln

        ngs_cloud_account = cpln.CloudAccount("ngs-connection",
            name="ngs-connection",
            description="NGS cloud account",
            ngs={
                "secret_link": nats_secret.self_link,
            })
        ```
      </Tab>

      <Tab title="Go">
        ```go theme={null}
        ngsCloudAccount, err := cpln.NewCloudAccount(ctx, "ngs-connection", &cpln.CloudAccountArgs{
            Name:        pulumi.String("ngs-connection"),
            Description: pulumi.String("NGS cloud account"),
            Ngs: &cpln.CloudAccountNgsArgs{
                SecretLink: natsSecret.SelfLink,
            },
        })
        ```
      </Tab>

      <Tab title="C#">
        ```csharp theme={null}
        var ngsCloudAccount = new CloudAccount("ngs-connection", new CloudAccountArgs
        {
            Name = "ngs-connection",
            Description = "NGS cloud account",
            Ngs = new CloudAccountNgsArgs
            {
                SecretLink = natsSecret.SelfLink,
            },
        });
        ```
      </Tab>
    </Tabs>
  </Tab>
</Tabs>

<Tip>
  When using NGS Cloud Accounts, the NATS Account secret provides the authentication credentials, while the Cloud Account resource manages the connection to NGS infrastructure.
</Tip>

***

## Best Practices

<AccordionGroup>
  <Accordion title="Use separate accounts per environment">
    Create distinct NATS accounts for development, staging, and production to isolate message traffic and credentials.
  </Accordion>

  <Accordion title="Implement key rotation">
    Regularly rotate NATS keys. Generate new keypairs, update the secret, and phase out old keys.
  </Accordion>

  <Accordion title="Scope permissions appropriately">
    Use NATS account permissions to limit which subjects each account can publish to or subscribe from.
  </Accordion>

  <Accordion title="Monitor account usage">
    Track message rates and connection counts per account to detect anomalies or unauthorized access.
  </Accordion>
</AccordionGroup>

***

## Next Steps

<CardGroup cols={2}>
  <Card title="Cloud Accounts" icon="cloud" href="/reference/cloudaccount">
    Set up NGS cloud account integration
  </Card>

  <Card title="Using Secrets in Workloads" icon="cube" href="/guides/create-secret/overview#using-secrets-in-workloads">
    Learn how to grant access and inject secrets
  </Card>
</CardGroup>
