Opaque

Opaque secrets are the most flexible secret type, allowing you to store any text-based data. Use them for API keys, tokens, configuration values, or any sensitive string that doesn’t fit into a more specific secret type.

Use Cases

API Keys: Store third-party API keys (Stripe, Twilio, SendGrid)
Tokens: JWT secrets, session tokens, webhook signing secrets
License Keys: Software license keys and activation codes
Configuration Values: Sensitive configuration that doesn’t fit other types
Custom Credentials: Any text-based secret data

Configuration Options

Field	Description	Required
`payload`	The secret value to store	Yes
`encoding`	How the payload is encoded: `plain` or `base64`	Yes

When encoding is set to base64, the payload will be automatically decoded when accessed by workloads. This is useful for storing binary data or pre-encoded values.

Create an Opaque Secret

Console UI
CLI
Terraform
Pulumi

Navigate to Secrets

In the Control Plane Console, navigate to Secrets and click New, or use the Create dropdown in the top-right corner and select Secret.

Enter basic information

Enter a Name and optional Description.

Select secret type

Select Opaque as the secret type.

Configure secret data

Click Data in the left pane. Paste the secret content, drag and drop a file, or click to import. If your data is base64 encoded, enable Base64 Decode at Runtime to decode it when accessed.

Create the secret

Click Create.

Create a file named secret.txt with your secret content:

sk_live_abc123xyz789

Then create the secret:

cpln secret create-opaque \
  --name my-api-key \
  --file secret.txt \
  --encoding plain \
  --org my-org

You can also pass the payload directly using --payload instead of a file for simple values.

resource "cpln_secret" "api_key" {
  name        = "my-api-key"
  description = "Third-party API key"

  opaque {
    payload  = "sk_live_abc123xyz789"
    encoding = "plain"
  }
}

For base64-encoded data:

resource "cpln_secret" "encoded_secret" {
  name        = "my-encoded-secret"
  description = "Base64 encoded secret"

  opaque {
    payload  = base64encode("my-secret-value")
    encoding = "base64"
  }
}

Avoid hardcoding secrets in Terraform files. Use variables, environment variables, or integrate with a secrets manager like HashiCorp Vault.

TypeScript
Python
Go
C#

import * as cpln from "@pulumiverse/cpln";

const apiKeySecret = new cpln.Secret("my-api-key", {
  name: "my-api-key",
  description: "Third-party API key",
  opaque: {
    payload: "sk_live_abc123xyz789",
    encoding: "plain",
  },
});

import pulumiverse_cpln as cpln

api_key_secret = cpln.Secret("my-api-key",
    name="my-api-key",
    description="Third-party API key",
    opaque={
        "payload": "sk_live_abc123xyz789",
        "encoding": "plain",
    })

package main

import (
    "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    "github.com/pulumiverse/pulumi-cpln/sdk/go/cpln"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        _, err := cpln.NewSecret(ctx, "my-api-key", &cpln.SecretArgs{
            Name:        pulumi.String("my-api-key"),
            Description: pulumi.String("Third-party API key"),
            Opaque: &cpln.SecretOpaqueArgs{
                Payload:  pulumi.String("sk_live_abc123xyz789"),
                Encoding: pulumi.String("plain"),
            },
        })
        return err
    })
}

using Pulumi;
using Pulumiverse.Cpln;
using Pulumiverse.Cpln.Inputs;

return await Deployment.RunAsync(() =>
{
    var apiKeySecret = new Secret("my-api-key", new SecretArgs
    {
        Name = "my-api-key",
        Description = "Third-party API key",
        Opaque = new SecretOpaqueArgs
        {
            Payload = "sk_live_abc123xyz789",
            Encoding = "plain",
        },
    });
});

Injecting into Workloads

Reference the secret in your workload as an environment variable:

env:
  - name: API_KEY
    value: "cpln://secret/my-api-key"

Or mount it as a file:

volumes:
  - uri: "cpln://secret/my-api-key"
    path: /secrets/api-key.txt

How-to Guides

CLI Configuration

Integrations

Configure Resources

Create Resources

Deployment

GitOps

Images

Native Networking

Observability

Workload Access

Use Cases

Configuration Options

Create an Opaque Secret

Injecting into Workloads

Next Steps

Using Secrets in Workloads

Dictionary Secrets

How-to Guides

CLI Configuration

Integrations

Configure Resources

Create Resources

Deployment

GitOps

Images

Native Networking

Observability

Workload Access

​Use Cases

​Configuration Options

​Create an Opaque Secret

​Injecting into Workloads

​Next Steps

Using Secrets in Workloads

Dictionary Secrets

Use Cases

Configuration Options

Create an Opaque Secret

Injecting into Workloads

Next Steps