diff --git a/terraform/kubernetes/cloud_deps/core_resource_deps.tf b/terraform/kubernetes/cloud_deps/core_resource_deps.tf
index 1d82f493f28..f549ffd64d4 100644
--- a/terraform/kubernetes/cloud_deps/core_resource_deps.tf
+++ b/terraform/kubernetes/cloud_deps/core_resource_deps.tf
@@ -83,8 +83,15 @@ resource "kubernetes_secret_v1" "db_secrets" {
   wait_for_service_account_token = false
 }
 
-data "sops_file" "auth0" {
-  source_file = "${path.module}/../../credentials/cockpit/auth0_config.yaml"
+data "terraform_remote_state" "auth0" {
+  backend = "azurerm"
+  config = {
+    resource_group_name  = var.auth0_state_resource_group
+    storage_account_name = var.auth0_state_storage_account
+    container_name       = var.auth0_state_container
+    key                  = var.auth0_state_key
+    use_azuread_auth     = true
+  }
 }
 
 resource "kubernetes_secret_v1" "cloud_auth0" {
@@ -94,8 +101,8 @@ resource "kubernetes_secret_v1" "cloud_auth0" {
   }
 
   data = {
-    "auth0-client-id"     = data.sops_file.auth0.data["stringData.auth0-client-id"]
-    "auth0-client-secret" = data.sops_file.auth0.data["stringData.auth0-client-secret"]
+    "auth0-client-id"     = data.terraform_remote_state.auth0.outputs.pixie_client_id
+    "auth0-client-secret" = data.terraform_remote_state.auth0.outputs.pixie_client_secret
   }
 
   type                           = "Opaque"
diff --git a/terraform/kubernetes/cloud_deps/provider.tf b/terraform/kubernetes/cloud_deps/provider.tf
index 527cf2b4295..0453dc57823 100644
--- a/terraform/kubernetes/cloud_deps/provider.tf
+++ b/terraform/kubernetes/cloud_deps/provider.tf
@@ -8,19 +8,15 @@ terraform {
       source  = "kbst/kustomization"
       version = "0.9.7"
     }
-    sops = {
-      source  = "carlpett/sops"
-      version = "~> 1.0"
-    }
   }
 }
 
 provider "kubernetes" {
-  config_path    = "~/.kube/cockpick-config"
+  config_path    = "~/.kube/cockpit-config"
   config_context = "default"
 }
 
 provider "kustomization" {
   context = "default"
-  kubeconfig_path = "~/.kube/cockpick-config"
+  kubeconfig_path = "~/.kube/cockpit-config"
 }
diff --git a/terraform/kubernetes/cloud_deps/variables.tf b/terraform/kubernetes/cloud_deps/variables.tf
index 88b789f3ec0..f7349926ab7 100644
--- a/terraform/kubernetes/cloud_deps/variables.tf
+++ b/terraform/kubernetes/cloud_deps/variables.tf
@@ -39,3 +39,21 @@ variable "cluster_internal_issuer" {
 variable "public_issuer" {
   default = "letsencrypt-prod"
 }
+
+# Auth0 remote state lookup — reads pixie_client_id / pixie_client_secret
+# outputs from the auth0 terraform state. All four must be supplied by the
+# caller (pipeline passes them as -var).
+variable "auth0_state_resource_group" {
+  type = string
+}
+variable "auth0_state_storage_account" {
+  type = string
+}
+variable "auth0_state_container" {
+  type    = string
+  default = "tfoscaas-0001"
+}
+variable "auth0_state_key" {
+  type    = string
+  default = "auth0-ckp2.tfstate"
+}