Secrets Management

ubx provides a built-in secret() function to read sensitive values from external secret stores at runtime. Secrets are never stored in .iac source files or Pulumi state in plain text.

Quick Reference

# AWS Secrets Manager
password = secret("aws_secrets_manager", "prod/db/password")

# HashiCorp Vault
api_key  = secret("vault", "secret/prod/api#key")

# GCP Secret Manager
token    = secret("gcp_secret_manager", "projects/my-project/secrets/api-token")

# Azure Key Vault
cert     = secret("azure_key_vault", "https://my-vault.vault.azure.net/secrets/cert")

# Environment variable
debug    = secret("env", "DEBUG_MODE")

See secret() for full reference.

AWS Secrets Manager

unit "aws_rds_instance" "db" {
  engine   = "postgres"
  username = "admin"
  password = secret("aws_secrets_manager", "prod/db/password")
}

The secret is fetched at apply time using the ambient AWS credentials. The value is wrapped in pulumi.secret() — never stored in Pulumi state in plain text.

HashiCorp Vault

unit "aws_rds_instance" "db" {
  password = secret("vault", "secret/prod/db#password")
}

Reads VAULT_ADDR and VAULT_TOKEN from environment. Use path#field to access a specific field.

Sensitive Outputs

Mark exported values as sensitive so they appear as [sensitive] in ubx output:

output "db_password" {
  value     = ~unit.aws_rds_instance.db.password
  sensitive = true
}

Ephemeral Inputs

For values injected at runtime (not from a secret store):

input "db_password" {
  type      = "string"
  ephemeral = true   # wrapped in pulumi.secret(), never stored in state
}

pulumi config set db_password --secret "yourpassword"
ubx apply

`.ubxignore` for Secret Files

Never commit secret values to git. Use .ubxignore to exclude any local secret files:

# .ubxignore
secrets/
*.secrets.iac
envs/prod/secrets.iac

​Quick Reference

​AWS Secrets Manager

​HashiCorp Vault

​Sensitive Outputs

​Ephemeral Inputs

​.ubxignore for Secret Files