Viewing docs for coder 2.16.0
published on Friday, Apr 24, 2026 by coder
published on Friday, Apr 24, 2026 by coder
Viewing docs for coder 2.16.0
published on Friday, Apr 24, 2026 by coder
published on Friday, Apr 24, 2026 by coder
Use this data source to declare that a workspace requires a user secret. Each coder.getSecret block declares a single secret requirement, matched by either an environment variable name (env) or a file path (file). The resolved value is available at build time via data.coder_secret.<name>.value.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as coder from "@pulumi/coder";
const myToken = coder.getSecret({
env: "MY_TOKEN",
helpMessage: "Personal access token injected as the environment variable MY_TOKEN",
});
const myCert = coder.getSecret({
file: "~/my-cert.pem",
helpMessage: "Certificate chain injected as the file ~/my-cert.pem",
});
// Use the secret value in an agent startup script.
const setup = new coder.Script("setup", {
agentId: main.id,
script: myToken.then(myToken => `echo ${myToken.value}`),
});
import pulumi
import pulumi_coder as coder
my_token = coder.get_secret(env="MY_TOKEN",
help_message="Personal access token injected as the environment variable MY_TOKEN")
my_cert = coder.get_secret(file="~/my-cert.pem",
help_message="Certificate chain injected as the file ~/my-cert.pem")
# Use the secret value in an agent startup script.
setup = coder.Script("setup",
agent_id=main["id"],
script=f"echo {my_token.value}")
package main
import (
"fmt"
"github.com/pulumi/pulumi-terraform-provider/sdks/go/coder/v2/coder"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
myToken, err := coder.GetSecret(ctx, &coder.GetSecretArgs{
Env: pulumi.StringRef("MY_TOKEN"),
HelpMessage: "Personal access token injected as the environment variable MY_TOKEN",
}, nil)
if err != nil {
return err
}
_, err = coder.GetSecret(ctx, &coder.GetSecretArgs{
File: pulumi.StringRef("~/my-cert.pem"),
HelpMessage: "Certificate chain injected as the file ~/my-cert.pem",
}, nil)
if err != nil {
return err
}
// Use the secret value in an agent startup script.
_, err = coder.NewScript(ctx, "setup", &coder.ScriptArgs{
AgentId: pulumi.Any(main.Id),
Script: pulumi.Sprintf("echo %v", myToken.Value),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Coder = Pulumi.Coder;
return await Deployment.RunAsync(() =>
{
var myToken = Coder.GetSecret.Invoke(new()
{
Env = "MY_TOKEN",
HelpMessage = "Personal access token injected as the environment variable MY_TOKEN",
});
var myCert = Coder.GetSecret.Invoke(new()
{
File = "~/my-cert.pem",
HelpMessage = "Certificate chain injected as the file ~/my-cert.pem",
});
// Use the secret value in an agent startup script.
var setup = new Coder.Script("setup", new()
{
AgentId = main.Id,
Script = $"echo {myToken.Apply(getSecretResult => getSecretResult.Value)}",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.coder.CoderFunctions;
import com.pulumi.coder.inputs.GetSecretArgs;
import com.pulumi.coder.Script;
import com.pulumi.coder.ScriptArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var myToken = CoderFunctions.getSecret(GetSecretArgs.builder()
.env("MY_TOKEN")
.helpMessage("Personal access token injected as the environment variable MY_TOKEN")
.build());
final var myCert = CoderFunctions.getSecret(GetSecretArgs.builder()
.file("~/my-cert.pem")
.helpMessage("Certificate chain injected as the file ~/my-cert.pem")
.build());
// Use the secret value in an agent startup script.
var setup = new Script("setup", ScriptArgs.builder()
.agentId(main.id())
.script(String.format("echo %s", myToken.value()))
.build());
}
}
resources:
# Use the secret value in an agent startup script.
setup:
type: coder:Script
properties:
agentId: ${main.id}
script: echo ${myToken.value}
variables:
myToken:
fn::invoke:
function: coder:getSecret
arguments:
env: MY_TOKEN
helpMessage: Personal access token injected as the environment variable MY_TOKEN
myCert:
fn::invoke:
function: coder:getSecret
arguments:
file: ~/my-cert.pem
helpMessage: Certificate chain injected as the file ~/my-cert.pem
Using getSecret
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getSecret(args: GetSecretArgs, opts?: InvokeOptions): Promise<GetSecretResult>
function getSecretOutput(args: GetSecretOutputArgs, opts?: InvokeOptions): Output<GetSecretResult>def get_secret(env: Optional[str] = None,
file: Optional[str] = None,
help_message: Optional[str] = None,
id: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetSecretResult
def get_secret_output(env: pulumi.Input[Optional[str]] = None,
file: pulumi.Input[Optional[str]] = None,
help_message: pulumi.Input[Optional[str]] = None,
id: pulumi.Input[Optional[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetSecretResult]func GetSecret(ctx *Context, args *GetSecretArgs, opts ...InvokeOption) (*GetSecretResult, error)
func GetSecretOutput(ctx *Context, args *GetSecretOutputArgs, opts ...InvokeOption) GetSecretResultOutput> Note: This function is named GetSecret in the Go SDK.
public static class GetSecret
{
public static Task<GetSecretResult> InvokeAsync(GetSecretArgs args, InvokeOptions? opts = null)
public static Output<GetSecretResult> Invoke(GetSecretInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetSecretResult> getSecret(GetSecretArgs args, InvokeOptions options)
public static Output<GetSecretResult> getSecret(GetSecretArgs args, InvokeOptions options)
fn::invoke:
function: coder:index/getSecret:getSecret
arguments:
# arguments dictionaryThe following arguments are supported:
- Help
Message string - Guidance shown to users when this secret requirement is not satisfied. Displayed on the create workspace page and in build failure logs.
- Env string
- The environment variable name that this secret must inject (e.g. "MY_TOKEN"). Must be POSIX-compliant: start with a letter or underscore, followed by letters, digits, or underscores. Exactly one of
envorfilemust be set. - File string
- The file path that this secret must inject (e.g. "~/my-token"). Must start with
~/or/. Exactly one ofenvorfilemust be set. - Id string
- The ID of this resource.
- Help
Message string - Guidance shown to users when this secret requirement is not satisfied. Displayed on the create workspace page and in build failure logs.
- Env string
- The environment variable name that this secret must inject (e.g. "MY_TOKEN"). Must be POSIX-compliant: start with a letter or underscore, followed by letters, digits, or underscores. Exactly one of
envorfilemust be set. - File string
- The file path that this secret must inject (e.g. "~/my-token"). Must start with
~/or/. Exactly one ofenvorfilemust be set. - Id string
- The ID of this resource.
- help
Message String - Guidance shown to users when this secret requirement is not satisfied. Displayed on the create workspace page and in build failure logs.
- env String
- The environment variable name that this secret must inject (e.g. "MY_TOKEN"). Must be POSIX-compliant: start with a letter or underscore, followed by letters, digits, or underscores. Exactly one of
envorfilemust be set. - file String
- The file path that this secret must inject (e.g. "~/my-token"). Must start with
~/or/. Exactly one ofenvorfilemust be set. - id String
- The ID of this resource.
- help
Message string - Guidance shown to users when this secret requirement is not satisfied. Displayed on the create workspace page and in build failure logs.
- env string
- The environment variable name that this secret must inject (e.g. "MY_TOKEN"). Must be POSIX-compliant: start with a letter or underscore, followed by letters, digits, or underscores. Exactly one of
envorfilemust be set. - file string
- The file path that this secret must inject (e.g. "~/my-token"). Must start with
~/or/. Exactly one ofenvorfilemust be set. - id string
- The ID of this resource.
- help_
message str - Guidance shown to users when this secret requirement is not satisfied. Displayed on the create workspace page and in build failure logs.
- env str
- The environment variable name that this secret must inject (e.g. "MY_TOKEN"). Must be POSIX-compliant: start with a letter or underscore, followed by letters, digits, or underscores. Exactly one of
envorfilemust be set. - file str
- The file path that this secret must inject (e.g. "~/my-token"). Must start with
~/or/. Exactly one ofenvorfilemust be set. - id str
- The ID of this resource.
- help
Message String - Guidance shown to users when this secret requirement is not satisfied. Displayed on the create workspace page and in build failure logs.
- env String
- The environment variable name that this secret must inject (e.g. "MY_TOKEN"). Must be POSIX-compliant: start with a letter or underscore, followed by letters, digits, or underscores. Exactly one of
envorfilemust be set. - file String
- The file path that this secret must inject (e.g. "~/my-token"). Must start with
~/or/. Exactly one ofenvorfilemust be set. - id String
- The ID of this resource.
getSecret Result
The following output properties are available:
- Help
Message string - Guidance shown to users when this secret requirement is not satisfied. Displayed on the create workspace page and in build failure logs.
- Id string
- The ID of this resource.
- Value string
- The resolved secret value, populated from the user's stored secrets during workspace builds. Treated as missing if empty.
- Env string
- The environment variable name that this secret must inject (e.g. "MY_TOKEN"). Must be POSIX-compliant: start with a letter or underscore, followed by letters, digits, or underscores. Exactly one of
envorfilemust be set. - File string
- The file path that this secret must inject (e.g. "~/my-token"). Must start with
~/or/. Exactly one ofenvorfilemust be set.
- Help
Message string - Guidance shown to users when this secret requirement is not satisfied. Displayed on the create workspace page and in build failure logs.
- Id string
- The ID of this resource.
- Value string
- The resolved secret value, populated from the user's stored secrets during workspace builds. Treated as missing if empty.
- Env string
- The environment variable name that this secret must inject (e.g. "MY_TOKEN"). Must be POSIX-compliant: start with a letter or underscore, followed by letters, digits, or underscores. Exactly one of
envorfilemust be set. - File string
- The file path that this secret must inject (e.g. "~/my-token"). Must start with
~/or/. Exactly one ofenvorfilemust be set.
- help
Message String - Guidance shown to users when this secret requirement is not satisfied. Displayed on the create workspace page and in build failure logs.
- id String
- The ID of this resource.
- value String
- The resolved secret value, populated from the user's stored secrets during workspace builds. Treated as missing if empty.
- env String
- The environment variable name that this secret must inject (e.g. "MY_TOKEN"). Must be POSIX-compliant: start with a letter or underscore, followed by letters, digits, or underscores. Exactly one of
envorfilemust be set. - file String
- The file path that this secret must inject (e.g. "~/my-token"). Must start with
~/or/. Exactly one ofenvorfilemust be set.
- help
Message string - Guidance shown to users when this secret requirement is not satisfied. Displayed on the create workspace page and in build failure logs.
- id string
- The ID of this resource.
- value string
- The resolved secret value, populated from the user's stored secrets during workspace builds. Treated as missing if empty.
- env string
- The environment variable name that this secret must inject (e.g. "MY_TOKEN"). Must be POSIX-compliant: start with a letter or underscore, followed by letters, digits, or underscores. Exactly one of
envorfilemust be set. - file string
- The file path that this secret must inject (e.g. "~/my-token"). Must start with
~/or/. Exactly one ofenvorfilemust be set.
- help_
message str - Guidance shown to users when this secret requirement is not satisfied. Displayed on the create workspace page and in build failure logs.
- id str
- The ID of this resource.
- value str
- The resolved secret value, populated from the user's stored secrets during workspace builds. Treated as missing if empty.
- env str
- The environment variable name that this secret must inject (e.g. "MY_TOKEN"). Must be POSIX-compliant: start with a letter or underscore, followed by letters, digits, or underscores. Exactly one of
envorfilemust be set. - file str
- The file path that this secret must inject (e.g. "~/my-token"). Must start with
~/or/. Exactly one ofenvorfilemust be set.
- help
Message String - Guidance shown to users when this secret requirement is not satisfied. Displayed on the create workspace page and in build failure logs.
- id String
- The ID of this resource.
- value String
- The resolved secret value, populated from the user's stored secrets during workspace builds. Treated as missing if empty.
- env String
- The environment variable name that this secret must inject (e.g. "MY_TOKEN"). Must be POSIX-compliant: start with a letter or underscore, followed by letters, digits, or underscores. Exactly one of
envorfilemust be set. - file String
- The file path that this secret must inject (e.g. "~/my-token"). Must start with
~/or/. Exactly one ofenvorfilemust be set.
Package Details
- Repository
- coder coder/terraform-provider-coder
- License
- Notes
- This Pulumi package is based on the
coderTerraform Provider.
Viewing docs for coder 2.16.0
published on Friday, Apr 24, 2026 by coder
published on Friday, Apr 24, 2026 by coder
