I believe this also needs to be addressed in the upstream Terraform provider, but sensitive values do not appear to use writeConnectionSecretToRef, and rather appear in plaintext in the resource output.
For example, creating a customersecretkeys.identitydomains.oci.m.upbound.io resource results in the following:
apiVersion: v1
items:
- apiVersion: identitydomains.oci.m.upbound.io/v1alpha1
kind: CustomerSecretKey
metadata:
annotations:
crossplane.io/external-create-pending: "2026-04-28T21:25:38Z"
crossplane.io/external-create-succeeded: "2026-04-28T21:25:38Z"
crossplane.io/external-name: 0ca6524bfed245aa9cdc637694d11f8f
upjet.crossplane.io/provider-meta: '{"e2bfb730-ecaa-11e6-8f88-34363bc7c4c0":{"create":1200000000000,"delete":1200000000000,"update":1200000000000}}'
creationTimestamp: "2026-04-28T21:08:28Z"
deletionGracePeriodSeconds: 0
deletionTimestamp: "2026-05-05T13:56:58Z"
finalizers:
- finalizer.managedresource.crossplane.io
- kubernetes.crossplane.io/referred-by-object-6728c255-6a23-42d6-9a11-a5e86ffae2f2
generation: 18478
labels:
kustomize.toolkit.fluxcd.io/name: demo
kustomize.toolkit.fluxcd.io/namespace: flux-system
name: demo
namespace: demo-staging
resourceVersion: "211309772"
uid: d05e6465-648b-4c8a-ab78-92f7916ce0ca
spec:
forProvider:
displayName: demo_user key
idcsEndpoint: <REDACTED>
ocid: <REDACTED>
schemas:
- urn:ietf:params:scim:schemas:oracle:idcs:customerSecretKey
user:
- ocid: <REDACTED>
ocidRef:
name: demo
initProvider: {}
managementPolicies:
- '*'
providerConfigRef:
kind: ClusterProviderConfig
name: default
status:
atProvider:
accessKey: 339e083b6e65a2935b48de151ed8630524c33a87
compartmentOcid: <REDACTED>
displayName: demo_user key
domainOcid: <REDACTED>
id: 0ca6524bfed245aa9cdc637694d11f8f
idcsCreatedBy:
- display: CICD Production
ocid: <REDACTED>
ref: <REDACTED>/admin/v1/Users/053d305f291f452fa4ce3b602a30016e
type: User
value: 053d305f291f452fa4ce3b602a30016e
idcsEndpoint: <REDACTED>
idcsLastModifiedBy:
- display: CICD Production
ocid: <REDACTED>
ref: <REDACTED>/admin/v1/Users/053d305f291f452fa4ce3b602a30016e
type: User
value: 053d305f291f452fa4ce3b602a30016e
meta:
- created: "2026-04-28T21:25:42.538Z"
lastModified: "2026-04-28T21:25:42.538Z"
location: <REDACTED>/admin/v1/CustomerSecretKeys/0ca6524bfed245aa9cdc637694d11f8f
resourceType: CustomerSecretKey
version: b8b37aa7e62b46ce9a1015135d09c518
ocid: <REDACTED>
schemas:
- urn:ietf:params:scim:schemas:oracle:idcs:customerSecretKey
secretKey: <ACTUAL_PLAIN_TEXT_SECRET>
status: ""
tenancyOcid: <REDACTED>
user:
- display: demo_staging_user
name: demo_staging_user
ocid: <REDACTED>
ref: <REDACTED>/admin/v1/Users/2acc9cb3fd304d1b9ffee70539fcf803
value: 2acc9cb3fd304d1b9ffee70539fcf803
conditions:
- lastTransitionTime: "2026-05-05T13:56:33Z"
observedGeneration: 18477
reason: ReconcileSuccess
status: "True"
type: Synced
- lastTransitionTime: "2026-04-28T21:25:49Z"
reason: Available
status: "True"
type: Ready
- lastTransitionTime: "2026-04-28T21:25:42Z"
reason: Finished
status: "True"
type: AsyncOperation
- lastTransitionTime: "2026-04-28T21:25:42Z"
reason: Success
status: "True"
type: LastAsyncOperation
kind: List
metadata:
resourceVersion: ""
A quick search of the code yielded no resources using the writeConnectionSecretToRef capability, but I'm no expert.
I believe this also needs to be addressed in the upstream Terraform provider, but sensitive values do not appear to use
writeConnectionSecretToRef, and rather appear in plaintext in the resource output.For example, creating a
customersecretkeys.identitydomains.oci.m.upbound.ioresource results in the following:A quick search of the code yielded no resources using the
writeConnectionSecretToRefcapability, but I'm no expert.