Skip to main content
Use this provider when you want secret storage in Azure Key Vault.

Environment Variables

VariableRequiredNotes
SECRETS_MANAGER_TYPEYesSet to azure_key_vault.
SECRETS_MANAGER_AZURE_VAULT_URLConditionally requiredRequired if SECRETS_MANAGER_AZURE_VAULT_NAME is not set.
SECRETS_MANAGER_AZURE_VAULT_NAMEConditionally requiredIf set, URL is derived as https://<vault-name>.vault.azure.net/.
SECRETS_MANAGER_AZURE_TENANT_IDOptionalUsed with client credential auth.
SECRETS_MANAGER_AZURE_CLIENT_IDOptionalUsed with client credential auth.
SECRETS_MANAGER_AZURE_CLIENT_SECRETOptionalUsed with client credential auth.
SECRETS_MANAGER_AZURE_USE_MANAGED_IDENTITYOptionalConfig field exists. Authentication still follows Azure default credential chain when client credential values are not set.
Authentication behavior:
  • If TENANT_ID, CLIENT_ID, and CLIENT_SECRET are all set, client secret auth is used.
  • Otherwise, Azure default credential chain is used.

Create Azure Resources and Credentials

  1. Create a Key Vault:
    • Azure Portal -> Key vaults -> Create.
    • Choose subscription, resource group, region, and vault name.
  2. Create an app identity for service-to-service auth:
    • Azure Portal -> Microsoft Entra ID -> App registrations -> New registration.
    • Open the app and copy Application (client) ID.
    • Copy Directory (tenant) ID from app or tenant overview.
  3. Generate a client secret:
    • App registration -> Certificates & secrets -> New client secret.
    • Copy the secret value.
  4. Grant the app permissions to the vault:
    • If using Access Policies: Key Vault -> Access policies -> Add secret permissions (Get, Set, Delete).
    • If using RBAC: assign a role that includes secret read/write/delete on the vault scope.

Map Credentials to Env Vars

Azure valueEnv var
Vault nameSECRETS_MANAGER_AZURE_VAULT_NAME
Vault URL (https://<vault-name>.vault.azure.net/)SECRETS_MANAGER_AZURE_VAULT_URL
Tenant IDSECRETS_MANAGER_AZURE_TENANT_ID
Client IDSECRETS_MANAGER_AZURE_CLIENT_ID
Client secret valueSECRETS_MANAGER_AZURE_CLIENT_SECRET

Local Switch Example

# env_files/secrets.env
SECRETS_MANAGER_TYPE=azure_key_vault
SECRETS_MANAGER_AZURE_VAULT_NAME=<vault-name>
SECRETS_MANAGER_AZURE_TENANT_ID=<tenant-id>
SECRETS_MANAGER_AZURE_CLIENT_ID=<client-id>
SECRETS_MANAGER_AZURE_CLIENT_SECRET=<client-secret>
# Optional
# SECRETS_MANAGER_AZURE_VAULT_URL=https://<vault-name>.vault.azure.net/
Restart wonderful-secrets after changing these values.

What to Verify

  1. Run the smoke test from Secret Managers.
  2. Confirm secrets are created in the configured Key Vault.