Skip to main content
secret() reads sensitive values from external secret stores at runtime. Values are always wrapped in pulumi.secret() — never stored in .iac source or Pulumi state in plain text.

Syntax

secret("backend", "path")
Both arguments must be string literals.

Backends

env — Environment variable

password = secret("env", "DB_PASSWORD")

password: (process.env["DB_PASSWORD"] ?? ""),
Resolved<T> — synchronous.

aws_secrets_manager — AWS Secrets Manager

password = secret("aws_secrets_manager", "prod/db/password")
Pending<T> — async, wrapped in pulumi.secret().

vault — HashiCorp Vault

password = secret("vault", "secret/prod/db#password")
Use path#field for a specific field. Reads VAULT_ADDR and VAULT_TOKEN from environment. Pending<T>.

gcp_secret_manager — GCP Secret Manager

root_password = secret("gcp_secret_manager", "projects/my-project/secrets/db-password")
Pending<T>.

azure_key_vault — Azure Key Vault

value = secret("azure_key_vault", "https://my-vault.vault.azure.net/secrets/db-password")
Pending<T>.

Pending<T> Classification

BackendClassification
envResolved<T>
aws_secrets_managerPending<T>
vaultPending<T>
gcp_secret_managerPending<T>
azure_key_vaultPending<T>

Multiple Backends

unit "aws_rds_instance" "db" {
  password = secret("aws_secrets_manager", "prod/db/password")
  api_key  = secret("vault", "secret/prod/api#key")
  region   = secret("env", "AWS_REGION")
}
Each helper function is emitted once at the top of index.ts.

Error Cases

# Unknown backend — compile error
secret("s3_manager", "path")
# ✗  unknown secret backend "s3_manager"

# Non-literal path — compile error
secret("env", input.key_name)
# ✗  secret() path must be a string literal

# Wrong argument count
secret("env")
# ✗  secret() requires exactly 2 arguments