We are setting the

azure-native:clientId

and

azure-native:clientSecret

properties in the stack YAML to authenticate against Azure. Now, in the same code that is executed by Pulumi, we would like to access Azure Key Vault using the Microsoft SDK. However, just providing

new DefaultAzureCredential()

to the Key Vault client does not work. Is there a way to authenticate to Key Vault using the same identity that's defined by the

azure-native:clientId

and

azure-native:clientSecret

variables?

Hi Standa!

DefaultAzureCredential

will work if you set the client id and secret as environment variables as described here. Maybe easier and more predictable would be to use the desired auth method directly, in form of ClientSecretCredential. You’d pass your id and secret into the constructor.

Thanks Thomas, these two methods would work, but it would require me to specify the client ID and secret for the second time, which is not ideal. I was wondering if I could utilize the two YAML variables already set, Pulumi doesn't seem to let me.

Ah, I see what you mean. This should be what you need?

No, this won't work, Pulumi doesn't allow you to read the

azure-native

-prefixed secret variables.

It does. See this example on the page I linked:

To access a namespaced configuration value, such as one set for a provider library like

aws

, you must pass the library’s name to the constructor. For example, to retrieve the configured value of `aws:region`:

```var awsConfig = new Pulumi.Config("aws");

var awsRegion = awsConfig.Require("region");```

Or are you saying it’s an issue specifically with config values marked as secret? I’m not aware of any limitations here, other than that they are returned as

Output

instances.

Ok, I overlooked that, will give it a try, thanks!