> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ubiquex.io/llms.txt
> Use this file to discover all available pages before exploring further.

# secret() function

> Read secrets from AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager, Azure Key Vault, or environment variables at runtime.

`secret()` reads sensitive values from external secret stores at runtime. Values are always wrapped in `pulumi.secret()` — never stored in `.iac` source or Pulumi state in plain text.

## Syntax

```hcl theme={null}
secret("backend", "path")
```

Both arguments must be string literals.

## Backends

### `env` — Environment variable

```hcl theme={null}
password = secret("env", "DB_PASSWORD")
```

```typescript theme={null}
password: (process.env["DB_PASSWORD"] ?? ""),
```

`Resolved&lt;T&gt;` — synchronous.

### `aws_secrets_manager` — AWS Secrets Manager

```hcl theme={null}
password = secret("aws_secrets_manager", "prod/db/password")
```

`Pending&lt;T&gt;` — async, wrapped in `pulumi.secret()`.

### `vault` — HashiCorp Vault

```hcl theme={null}
password = secret("vault", "secret/prod/db#password")
```

Use `path#field` for a specific field. Reads `VAULT_ADDR` and `VAULT_TOKEN` from environment. `Pending&lt;T&gt;`.

### `gcp_secret_manager` — GCP Secret Manager

```hcl theme={null}
root_password = secret("gcp_secret_manager", "projects/my-project/secrets/db-password")
```

`Pending&lt;T&gt;`.

### `azure_key_vault` — Azure Key Vault

```hcl theme={null}
value = secret("azure_key_vault", "https://my-vault.vault.azure.net/secrets/db-password")
```

`Pending&lt;T&gt;`.

## `Pending&lt;T&gt;` Classification

| Backend               | Classification      |
| --------------------- | ------------------- |
| `env`                 | `Resolved&lt;T&gt;` |
| `aws_secrets_manager` | `Pending&lt;T&gt;`  |
| `vault`               | `Pending&lt;T&gt;`  |
| `gcp_secret_manager`  | `Pending&lt;T&gt;`  |
| `azure_key_vault`     | `Pending&lt;T&gt;`  |

## Multiple Backends

```hcl theme={null}
unit "aws_rds_instance" "db" {
  password = secret("aws_secrets_manager", "prod/db/password")
  api_key  = secret("vault", "secret/prod/api#key")
  region   = secret("env", "AWS_REGION")
}
```

Each helper function is emitted once at the top of `index.ts`.

## Error Cases

```hcl theme={null}
# Unknown backend — compile error
secret("s3_manager", "path")
# ✗  unknown secret backend "s3_manager"

# Non-literal path — compile error
secret("env", input.key_name)
# ✗  secret() path must be a string literal

# Wrong argument count
secret("env")
# ✗  secret() requires exactly 2 arguments
```