Azure Key Vault

Learn how to easily sync environment variables to Azure Key Vault.

Learn how to set up the Azure Key Vault integration to enable automatic secrets sync to Azure Key Vault Resource Groups.

Prerequisites

Authorization

There are two ways to authenticate Doppler with Azure Key Vault: Doppler's registered app and custom service principal. Doppler recommends authenticating with the Doppler registered app unless your organization requires authenticating via a custom service principal.

Doppler App

Navigate to the Doppler project and click Integrations from the submenu. Then select Azure Key Vault.

You'll then be redirected to the Azure Portal to approve Doppler's access to your Azure Key Vault.

Custom Service Principal

Navigate to the project and click Integrations from the submenu. Then select Azure Key Vault (SP). Leave this window open while we create a service principal for Doppler to use.

Screenshot of Doppler's set up integration UI for Azure Key Vault

Go to the Azure Portal to open the Azure Active Directory. Click App registrations in the left menu and choose New registration.

Screenshot of Azure Portal UI

Provide a name for the app, we'll use "doppler" in this example. Be sure to leave the Supported account types option set to Accounts in this organizational directory only (Single tenant) and leave the Redirect URI blank.

Screenshot of Azure portal UI

Click Register, then copy the Application (client) ID and Directory (tenant) ID to the Doppler dashboard.

Screenshot of Azure portal UI

Click Add a certificate or secret and then New client secret. You may adjust name and expiration parameters however you like.

Screenshot of Azure portal UI

Copy the secret Value to the Doppler dashboard but don't click Connect just yet.

Screenshot of Azure portal UI

The last step is to give the new service principal permission to access your vault. Open your vault in the Azure portal and click Access policies

Screenshot of Azure portal UI

Click Create and then choose the Secret Management template.

Screenshot of Azure portal UI

Search for the service principal that you just created and complete the remaining prompts.

Screenshot of Azure portal UI

Repeat this process for all Azure Vaults which Doppler needs access to.

Once finished, click Connect in the Doppler dashboard to create the integration.

πŸ“˜

Seeing a "Invalid Client Secret" Error?

It might take a minute or two for Azure's API to register the service principal and the associated secret. Just click Connect again to retry.

Configuration

Find your Azure Key Vault URI in the Azure Portal. Click on your Key Vault, go to the Essentials section, then copy the URI for the next step.

Screenshot of Azure portal UI

Select your Doppler config, enter your Azure Key Vault URI, and select your Sync Strategy to finish the setup. The Multi-Secret strategy will create a separate secret in Azure Key Vault for every secret in the Doppler config you're syncing.

Screenshot of Doppler's set up integration UI with fields and CTA button highlighted

The Single-Secret strategy will sync all secrets in the Doppler config you're syncing to a single secret in Azure as a JSON object. If you choose this option, then you need to specify the name of the secret you'd like to sync to. The name can be anything you like so long as it complies with Key Vault's secret name restrictions.

Screenshot of Doppler's set up integration UI with fields and CTA button highlighted

Then Click Set Up Integration to complete the setup process.

🚧

Underscore to dash conversion

Azure Key Vault does not support underscores and will replace them with dashes/hyphens. For example, API_KEY will be saved as API-KEY in your Vault.

Your Azure Key Vault integration is set up! You can now view your secrets in the Azure Portal by clicking on the destination and selecting Secrets for your Key Vault:

Screenshot of Doppler UI to manage Azure Key Vault integration after being set up Screenshot of Azure Key vault UI

πŸ‘

Outstanding!

Now you know how to set up the Azure Key Vault integration to enable automatic secrets sync to Azure Key Vault Resource Groups.