---
title: "Azure Key Vault"
slug: "azure-key-vault"
updated: 2025-10-27T14:57:07Z
published: 2025-10-27T14:57:07Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.plainid.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Azure Key Vault

The Azure Key Vault Store integrates with Microsoft Azure’s native secret management solution. It retrieves secrets such as passwords, keys, or tokens using a Service Principal, making it a strong option for Azure-based deployments. It supports centralized credential management and simplifies secret rotation in Azure environments.

### Azure Key Vault Store-specific Parameters

#### Prerequisites
An **Azure Service Principal with Key Vault Secrets User Role** is required. The **Service Account's Client Credentials** should be used when configuring the store authentication.


| Parameter              | Value                                          | Description                                            |
| ---------------------- | ---------------------------------------------- | ------------------------------------------------------ |
| `type`                 | `AzureKeyVault`                                | Identifies the store type as Azure Key Vault           |
| `details.vaultUrl`     | `https://<your-keyvault-name>.vault.azure.net` | The base URL of your Azure Key Vault instance          |
| `details.tenantId`     | `${AZURE_TENANT_ID}`                           | Azure tenant ID                       |
| `details.clientId`     | `${AZURE_CLIENT_ID}`                           | Client ID of the Azure application                  |
| `details.clientSecret` | `${AZURE_CLIENT_SECRET}`                       | Client secret associated with the Azure AD application |


#### Example 
The following example is based on the [general store](/v1/docs/stores){target=`_blank`} and store-specific parameters. 

```yaml
secretsMgmt:
  enabled: true
  plainIDConfig:
    config.yaml:
      secretStore:
        - id: AZURE_KEY_VAULT_STORE
          type: AzureKeyVault
          isDefault: false
          details:
            vaultUrl: https://<your-keyvault-name>.vault.azure.net
            tenantId: ${AZURE_TENANT_ID}
            clientId: ${AZURE_CLIENT_ID}
            clientSecret: ${AZURE_CLIENT_SECRET}
```

A typical use case is securely referencing a secret from Azure Key Vault—for example, an OAuth client secret—without hardcoding credentials in your configuration. This enables centralized secret management and supports automated rotation without requiring service redeployments.