Opaque secrets are the most flexible secret type, allowing you to store any text-based data. Use them for API keys, tokens, configuration values, or any sensitive string that doesn’t fit into a more specific secret type.
Use Cases
- API Keys: Store third-party API keys (Stripe, Twilio, SendGrid)
- Tokens: JWT secrets, session tokens, webhook signing secrets
- License Keys: Software license keys and activation codes
- Configuration Values: Sensitive configuration that doesn’t fit other types
- Custom Credentials: Any text-based secret data
Configuration Options
| Field | Description | Required |
|---|
payload | The secret value to store | Yes |
encoding | How the payload is encoded: plain or base64 | Yes |
When encoding is set to base64, the payload will be automatically decoded when accessed by workloads. This is useful for storing binary data or pre-encoded values.
Create an Opaque Secret
Console UI
CLI
Terraform
Pulumi
Navigate to Secrets
In the Control Plane Console, navigate to Secrets and click New, or use the Create dropdown in the top-right corner and select Secret. Enter basic information
Enter a Name and optional Description.
Select secret type
Select Opaque as the secret type.
Configure secret data
Click Data in the left pane. Paste the secret content, drag and drop a file, or click to import. If your data is base64 encoded, enable Base64 Decode at Runtime to decode it when accessed.
Create the secret
Click Create.
Create a file named secret.txt with your secret content:Then create the secret:cpln secret create-opaque \
--name my-api-key \
--file secret.txt \
--encoding plain \
--org my-org
You can also pass the payload directly using --payload instead of a file for simple values.
resource "cpln_secret" "api_key" {
name = "my-api-key"
description = "Third-party API key"
opaque {
payload = "sk_live_abc123xyz789"
encoding = "plain"
}
}
resource "cpln_secret" "encoded_secret" {
name = "my-encoded-secret"
description = "Base64 encoded secret"
opaque {
payload = base64encode("my-secret-value")
encoding = "base64"
}
}
Avoid hardcoding secrets in Terraform files. Use variables, environment variables, or integrate with a secrets manager like HashiCorp Vault.
import * as cpln from "@pulumiverse/cpln";
const apiKeySecret = new cpln.Secret("my-api-key", {
name: "my-api-key",
description: "Third-party API key",
opaque: {
payload: "sk_live_abc123xyz789",
encoding: "plain",
},
});
import pulumiverse_cpln as cpln
api_key_secret = cpln.Secret("my-api-key",
name="my-api-key",
description="Third-party API key",
opaque={
"payload": "sk_live_abc123xyz789",
"encoding": "plain",
})
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumiverse/pulumi-cpln/sdk/go/cpln"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cpln.NewSecret(ctx, "my-api-key", &cpln.SecretArgs{
Name: pulumi.String("my-api-key"),
Description: pulumi.String("Third-party API key"),
Opaque: &cpln.SecretOpaqueArgs{
Payload: pulumi.String("sk_live_abc123xyz789"),
Encoding: pulumi.String("plain"),
},
})
return err
})
}
using Pulumi;
using Pulumiverse.Cpln;
using Pulumiverse.Cpln.Inputs;
return await Deployment.RunAsync(() =>
{
var apiKeySecret = new Secret("my-api-key", new SecretArgs
{
Name = "my-api-key",
Description = "Third-party API key",
Opaque = new SecretOpaqueArgs
{
Payload = "sk_live_abc123xyz789",
Encoding = "plain",
},
});
});
Injecting into Workloads
Reference the secret in your workload as an environment variable:
env:
- name: API_KEY
value: "cpln://secret/my-api-key"
volumes:
- uri: "cpln://secret/my-api-key"
path: /secrets/api-key.txt
Next Steps
