Azure Key Vault

Updated
  • Updated on Oct 27, 2025
  • Published on Oct 27, 2025
  • 1 minute(s) read
Prev Next

The Azure Key Vault Store integrates with Microsoft Azure’s native secret management solution. It retrieves secrets such as passwords, keys, or tokens using a Service Principal, making it a strong option for Azure-based deployments. It supports centralized credential management and simplifies secret rotation in Azure environments.

Azure Key Vault Store-specific Parameters

Prerequisites

An Azure Service Principal with Key Vault Secrets User Role is required. The Service Account's Client Credentials should be used when configuring the store authentication.

Parameter Value Description
type AzureKeyVault Identifies the store type as Azure Key Vault
details.vaultUrl https://<your-keyvault-name>.vault.azure.net The base URL of your Azure Key Vault instance
details.tenantId ${AZURE_TENANT_ID} Azure tenant ID
details.clientId ${AZURE_CLIENT_ID} Client ID of the Azure application
details.clientSecret ${AZURE_CLIENT_SECRET} Client secret associated with the Azure AD application

Example

The following example is based on the general store and store-specific parameters.

secretsMgmt:
  enabled: true
  plainIDConfig:
    config.yaml:
      secretStore:
        - id: AZURE_KEY_VAULT_STORE
          type: AzureKeyVault
          isDefault: false
          details:
            vaultUrl: https://<your-keyvault-name>.vault.azure.net
            tenantId: ${AZURE_TENANT_ID}
            clientId: ${AZURE_CLIENT_ID}
            clientSecret: ${AZURE_CLIENT_SECRET}

A typical use case is securely referencing a secret from Azure Key Vault—for example, an OAuth client secret—without hardcoding credentials in your configuration. This enables centralized secret management and supports automated rotation without requiring service redeployments.