Username & Password

Username & Password secrets store authentication credentials as a username/password pair. Use them for database connections, API authentication, SMTP servers, or any service requiring basic credentials.

Use Cases

Database Authentication: Store credentials for PostgreSQL, MySQL, MongoDB, etc.
API Authentication: Basic auth credentials for REST APIs
SMTP/Email Services: Credentials for email sending services
Legacy Systems: Connect to systems using username/password authentication
FTP/SFTP Access: Credentials for file transfer services

Configuration Options

Field	Description	Required
`username`	The username or account identifier	Yes
`password`	The password or secret credential	Yes
`encoding`	How values are encoded: `plain` or `base64`	No (default: `plain`)

Use encoding: base64 when your credentials contain special characters that might cause parsing issues, or when you’re storing pre-encoded credentials from another system.

Create a Username & Password Secret

Console UI
CLI
Terraform
Pulumi

Navigate to Secrets

In the Console, navigate to Secrets and click New, or use the Create dropdown in the top-right corner and select Secret.

Enter basic information

Enter a Name and optional Description.

Select secret type

Select Username/Password as the secret type.

Configure credentials

Click Data in the left pane. Enter the Username and Password. If your credentials are base64 encoded, enable Base64 Decode at Runtime to decode them when accessed.

Create the secret

Click Create.

cpln secret create-userpass \
  --name db-credentials \
  --username app_user \
  --password 'secure-password-here' \
  --org my-org

Wrap passwords in single quotes to prevent shell interpretation of special characters.

resource "cpln_secret" "db_credentials" {
  name        = "db-credentials"
  description = "PostgreSQL database credentials"

  userpass {
    username = "app_user"
    password = "secure-password-here"
    encoding = "plain"
  }
}

This example uses hardcoded credentials for testing. In production, use Terraform variables, environment variables, or integrate with a secrets manager like HashiCorp Vault.

TypeScript
Python
Go
C#

import * as cpln from "@pulumiverse/cpln";

const dbCredentials = new cpln.Secret("db-credentials", {
  name: "db-credentials",
  description: "PostgreSQL database credentials",
  userpass: {
    username: "app_user",
    password: "secure-password-here",
    encoding: "plain",
  },
});

import pulumiverse_cpln as cpln

db_credentials = cpln.Secret("db-credentials",
    name="db-credentials",
    description="PostgreSQL database credentials",
    userpass={
        "username": "app_user",
        "password": "secure-password-here",
        "encoding": "plain",
    })

package main

import (
    "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    "github.com/pulumiverse/pulumi-cpln/sdk/go/cpln"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        _, err := cpln.NewSecret(ctx, "db-credentials", &cpln.SecretArgs{
            Name:        pulumi.String("db-credentials"),
            Description: pulumi.String("PostgreSQL database credentials"),
            Userpass: &cpln.SecretUserpassArgs{
                Username: pulumi.String("app_user"),
                Password: pulumi.String("secure-password-here"),
                Encoding: pulumi.String("plain"),
            },
        })
        return err
    })
}

using Pulumi;
using Pulumiverse.Cpln;
using Pulumiverse.Cpln.Inputs;

return await Deployment.RunAsync(() =>
{
    var dbCredentials = new Secret("db-credentials", new SecretArgs
    {
        Name = "db-credentials",
        Description = "PostgreSQL database credentials",
        Userpass = new SecretUserpassArgs
        {
            Username = "app_user",
            Password = "secure-password-here",
            Encoding = "plain",
        },
    });
});

Injecting into Workloads

As Environment Variables

Reference the username and password separately:

env:
  - name: DB_USER
    value: "cpln://secret/db-credentials.username"
  - name: DB_PASSWORD
    value: "cpln://secret/db-credentials.password"

As Volume Files

When mounted as a volume, the secret creates two files:

volumes:
  - uri: "cpln://secret/db-credentials"
    path: /etc/credentials

This creates:

/etc/credentials/username containing the username
/etc/credentials/password containing the password

Common Patterns

PostgreSQL Connection

kind: secret
name: postgres-credentials
type: userpass
data:
  username: postgres
  password: your-secure-password

Workload environment:

env:
  - name: PGUSER
    value: "cpln://secret/postgres-credentials.username"
  - name: PGPASSWORD
    value: "cpln://secret/postgres-credentials.password"

MongoDB Connection

kind: secret
name: mongodb-credentials
type: userpass
data:
  username: mongouser
  password: your-secure-password

SMTP Credentials

kind: secret
name: smtp-credentials
type: userpass
data:
  username: apikey
  password: SG.xxxxx  # SendGrid API key

Basic Auth for APIs

kind: secret
name: api-credentials
type: userpass
data:
  username: api_client_id
  password: api_client_secret

Best Practices

Use strong, unique passwords

Generate random passwords with sufficient length and complexity. Avoid reusing passwords across different services.

Rotate credentials regularly

Establish a rotation schedule for credentials. Update both the secret in Control Plane and the corresponding service.

Prefer dedicated accounts

Create dedicated service accounts rather than using personal credentials. This enables better auditing and easier credential rotation.

Consider alternative auth methods

Where possible, prefer more secure authentication methods like IAM roles, service accounts, or certificate-based auth over username/password.

Use Cases

Configuration Options

Create a Username & Password Secret

Injecting into Workloads

As Environment Variables

As Volume Files

Common Patterns

PostgreSQL Connection

MongoDB Connection

SMTP Credentials

Basic Auth for APIs

Best Practices

Next Steps

Opaque Secrets

Using Secrets in Workloads

​Use Cases

​Configuration Options

​Create a Username & Password Secret

​Injecting into Workloads

​As Environment Variables

​As Volume Files

​Common Patterns

​PostgreSQL Connection

​MongoDB Connection

​SMTP Credentials

​Basic Auth for APIs

​Best Practices

​Next Steps

Opaque Secrets

Using Secrets in Workloads

Use Cases

Configuration Options

Create a Username & Password Secret

Injecting into Workloads

As Environment Variables

As Volume Files

Common Patterns

PostgreSQL Connection

MongoDB Connection

SMTP Credentials

Basic Auth for APIs

Best Practices

Next Steps