Azure Key Vault

Azure Key Vault is a cloud-based service from Microsoft that securely stores and manages cryptographic keys, secrets, and certificates used by applications and services. It helps organizations protect sensitive information and control access to it.

Configuring Azure Secure Storage

Setting Environment Variables

By using the environment credential option, runtime gets access to the Key Vault through an app registration in the Azure tenant. To enable use of the Azure vault, you must first set the following environment variables:

AZURE_CLIENT_ID
The application (client) ID, which is a GUID that identifies a registered Microsoft Entra ID (formerly Azure Active Directory) application. It is used with AZURE_TENANT_ID and AZURE_CLIENT_SECRET for client-credentials authentication so SDKs/CLI can request tokens to access Azure services.

AZURE_CLIENT_SECRET
A string containing the client (application) secret. The credential for a registered Microsoft Entra ID app used when authenticating with client credentials. Set as an environment variable so SDKs/CLI can read it for non-interactive authenticating.

AZURE_TENANT_ID
Used to specify the tenant ID for authenticating to Azure services, including Azure Key Vault. This ID is necessary for applications to access resources within a specific Microsoft Entra ID tenant.

Updating Secure Storage Configuration

After the environment variables have been set, the Control Center or Application configuration file must then be updated to point to the Azure Key Vault.

secureStorages:
  - id: azure
    vaultType: Azure
    vaultConfiguration:
      azureCredentialType: <environment>
      azureVaultName: <key_vault>