Skip to main content
Guide

Secrets

Secrets are group-scoped key-value stores. Create them once on the sandbox group, then read values from sandbox code at runtime instead of copying credentials into every sandbox.

Create or update a secret

Secrets live on the sandbox group. Values are not auto-injected as environment variables. Your code reads them from the group data plane when it needs them.

  1. Open sandboxes.azure.com/sandbox-groups and select your sandbox group.
  2. Select Secrets.
  3. Select Create.
  4. Enter a name, such as model-credentials.
  5. Add key-value pairs, such as API_KEY and MODEL.
  6. Select Save. To rotate values later, select the secret, enter replacement values, and save again.
aca sandboxgroup secret upsert \
--name model-credentials \
--values "API_KEY=sk-test-123,MODEL=gpt-4"

aca sandboxgroup secret upsert \
--name model-credentials \
--values "API_KEY=sk-updated-456,MODEL=gpt-4o"

List secrets and keys

List secrets to confirm a name exists. List keys to see which entries are present without reading the stored values.

  1. Open the sandbox group and select Secrets.
  2. Review the secret list.
  3. Select a secret to view its key names.
  4. Use the search box to filter by secret name.
aca sandboxgroup secret list

Inspect metadata and values

Use metadata checks to confirm the secret shape. Use SDK value peek only inside trusted code paths and avoid printing full values to logs.

Values are not shown in the portal

The portal shows secret names and key names. It does not show saved values after you create or update them.

aca sandboxgroup secret list

Delete a secret

Delete a secret only after every sandbox that needs it has moved to a replacement.

  1. Open the sandbox group and select Secrets.
  2. Select the secret.
  3. Select Delete and confirm.
aca sandboxgroup secret delete --name model-credentials