Secrets
Secrets are group-scoped key-value stores. Create them once on the sandbox group, then read values from sandbox code at runtime instead of copying credentials into every sandbox.
Create or update a secret
Secrets live on the sandbox group. Values are not auto-injected as environment variables. Your code reads them from the group data plane when it needs them.
- Open sandboxes.azure.com/sandbox-groups and select your sandbox group.
- Select Secrets.
- Select Create.
- Enter a name, such as
model-credentials. - Add key-value pairs, such as
API_KEYandMODEL. - Select Save. To rotate values later, select the secret, enter replacement values, and save again.
- Bash
- PowerShell
- SDK
aca sandboxgroup secret upsert \
--name model-credentials \
--values "API_KEY=sk-test-123,MODEL=gpt-4"
aca sandboxgroup secret upsert \
--name model-credentials \
--values "API_KEY=sk-updated-456,MODEL=gpt-4o"
aca sandboxgroup secret upsert `
--name model-credentials `
--values "API_KEY=sk-test-123,MODEL=gpt-4"
aca sandboxgroup secret upsert `
--name model-credentials `
--values "API_KEY=sk-updated-456,MODEL=gpt-4o"
from azure.identity import DefaultAzureCredential
from azure.containerapps.sandbox import SandboxGroupClient, endpoint_for_region
credential = DefaultAzureCredential()
client = SandboxGroupClient(
endpoint_for_region(ACA_SANDBOXGROUP_REGION),
credential,
subscription_id=AZURE_SUBSCRIPTION_ID,
resource_group=ACA_RESOURCE_GROUP,
sandbox_group=ACA_SANDBOX_GROUP,
)
client.upsert_secret(
"model-credentials",
{"API_KEY": "sk-test-123", "MODEL": "gpt-4"},
)
client.upsert_secret(
"model-credentials",
{"API_KEY": "sk-updated-456", "MODEL": "gpt-4o"},
)
List secrets and keys
List secrets to confirm a name exists. List keys to see which entries are present without reading the stored values.
- Open the sandbox group and select Secrets.
- Review the secret list.
- Select a secret to view its key names.
- Use the search box to filter by secret name.
- Bash
- PowerShell
- SDK
aca sandboxgroup secret list
aca sandboxgroup secret list
for secret in client.list_secrets():
print(secret.id)
keys = client.list_secret_keys("model-credentials")
print(keys)
Inspect metadata and values
Use metadata checks to confirm the secret shape. Use SDK value peek only inside trusted code paths and avoid printing full values to logs.
The portal shows secret names and key names. It does not show saved values after you create or update them.
- Bash
- PowerShell
- SDK
aca sandboxgroup secret list
aca sandboxgroup secret list
keys = client.list_secret_keys("model-credentials")
print(keys)
peek = client.peek_secret("model-credentials")
for name, value in (peek.values or {}).items():
masked = value[:3] + "***" if value else ""
print(name, masked)
Delete a secret
Delete a secret only after every sandbox that needs it has moved to a replacement.
- Open the sandbox group and select Secrets.
- Select the secret.
- Select Delete and confirm.
- Bash
- PowerShell
- SDK
aca sandboxgroup secret delete --name model-credentials
aca sandboxgroup secret delete --name model-credentials
client.delete_secret("model-credentials")
client.close()
credential.close()