Azure Key Vault

Detailed information on the Azure Key Vault cryptography component

Component format

A Dapr crypto.yaml component file has the following structure:

  1. apiVersion: dapr.io/v1alpha1
  2. kind: Component
  3. metadata:
  4.   name: azurekeyvault
  5. spec:
  6.   type: crypto.azure.keyvault
  7.   metadata:
  8.   - name: vaultName
  9.     value: mykeyvault
  10.   # See authentication section below for all options
  11.   - name: azureTenantId
  12.     value: ${{AzureKeyVaultTenantId}}
  13.   - name: azureClientId
  14.     value: ${{AzureKeyVaultServicePrincipalClientId}}
  15.   - name: azureClientSecret
  16.     value: ${{AzureKeyVaultServicePrincipalClientSecret}}

Warning

The above example uses secrets as plain strings. It is recommended to use a secret store for the secrets, as described here.

Authenticating with Azure AD

The Azure Key Vault cryptography component supports authentication with Azure AD only. Before you enable this component:

  1. Read the Authenticating to Azure document.
  2. Create an Azure AD application (also called a Service Principal).
  3. Alternatively, create a managed identity for your application platform.

Spec metadata fields

FieldRequiredDetailsExample
vaultNameYAzure Key Vault name“mykeyvault”
Auth metadataYSee Authenticating to Azure for more information

Last modified June 19, 2023: Merge pull request #3565 from dapr/aacrawfi/skip-secrets-close (b1763bf)