Azure Key Vault secret Click here for latest


You are currently viewing v"2.10" of the documentation and it is not the latest. For the most recent documentation, kindly click here.

You can pull secrets from Azure Key Vault into the trigger by using the azureKeyVault key.

The secrets list defines the mapping between the key vault secret and the authentication parameter.

Currently, azure and azure-workload pod identity providers are supported for Azure Key Vault using podIdentity inside azureKeyVault.

Service principal authentication is also supported, needing to register an application with Azure Active Directory and specifying its credentials. The clientId and tenantId for the application are to be provided as part of the spec. The clientSecret for the application is expected to be within a kubernetes secret in the same namespace as the authentication resource.

Ensure that “read secret” permissions have been granted to the Azure AD application on the Azure Key Vault. Learn more in the Azure Key Vault documentation.

The cloud parameter can be used to specify cloud environments besides Azure Public Cloud, such as known Azure clouds like Azure China Cloud, etc. and even Azure Stack Hub or Air Gapped clouds.

azureKeyVault:                                          # Optional.
  vaultUri: {key-vault-address}                         # Required.
  podIdentity:                                          # Optional.
    provider: azure | azure-workload                    # Required.
    identityId: <identity-id>                           # Optional
  credentials:                                          # Optional.
    clientId: {azure-ad-client-id}                      # Required.
    clientSecret:                                       # Required.
      valueFrom:                                        # Required.
        secretKeyRef:                                   # Required.
          name: {k8s-secret-with-azure-ad-secret}       # Required.
          key: {key-within-the-secret}                  # Required.
    tenantId: {azure-ad-tenant-id}                      # Required.
  cloud:                                                # Optional.
    type: AzurePublicCloud | AzureUSGovernmentCloud | AzureChinaCloud | AzureGermanCloud | Private # Required.
    keyVaultResourceURL: {key-vault-resource-url-for-cloud}           # Required when type = Private.
    activeDirectoryEndpoint: {active-directory-endpoint-for-cloud}    # Required when type = Private.
  secrets:                                              # Required.
  - parameter: {param-name-used-for-auth}               # Required.
    name: {key-vault-secret-name}                       # Required.
    version: {key-vault-secret-version}                 # Optional.