> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ubiquex.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Secrets Management

> Use secret() to read values from AWS Secrets Manager, Vault, GCP, Azure, or environment variables.

ubx provides a built-in `secret()` function to read sensitive values from external secret stores at runtime. Secrets are never stored in `.iac` source files or Pulumi state in plain text.

## Quick Reference

```hcl theme={null}
# AWS Secrets Manager
password = secret("aws_secrets_manager", "prod/db/password")

# HashiCorp Vault
api_key  = secret("vault", "secret/prod/api#key")

# GCP Secret Manager
token    = secret("gcp_secret_manager", "projects/my-project/secrets/api-token")

# Azure Key Vault
cert     = secret("azure_key_vault", "https://my-vault.vault.azure.net/secrets/cert")

# Environment variable
debug    = secret("env", "DEBUG_MODE")
```

See [`secret()`](/v1/language/secret) for full reference.

## AWS Secrets Manager

```hcl theme={null}
unit "aws_rds_instance" "db" {
  engine   = "postgres"
  username = "admin"
  password = secret("aws_secrets_manager", "prod/db/password")
}
```

The secret is fetched at apply time using the ambient AWS credentials. The value is wrapped in `pulumi.secret()` — never stored in Pulumi state in plain text.

## HashiCorp Vault

```hcl theme={null}
unit "aws_rds_instance" "db" {
  password = secret("vault", "secret/prod/db#password")
}
```

Reads `VAULT_ADDR` and `VAULT_TOKEN` from environment. Use `path#field` to access a specific field.

## Sensitive Outputs

Mark exported values as sensitive so they appear as `[sensitive]` in `ubx output`:

```hcl theme={null}
output "db_password" {
  value     = ~unit.aws_rds_instance.db.password
  sensitive = true
}
```

## Ephemeral Inputs

For values injected at runtime (not from a secret store):

```hcl theme={null}
input "db_password" {
  type      = "string"
  ephemeral = true   # wrapped in pulumi.secret(), never stored in state
}
```

```bash theme={null}
pulumi config set db_password --secret "yourpassword"
ubx apply
```

## `.ubxignore` for Secret Files

Never commit secret values to git. Use `.ubxignore` to exclude any local secret files:

```
# .ubxignore
secrets/
*.secrets.iac
envs/prod/secrets.iac
```