Azure Key Vault
Learn how to easily sync environment variables to Azure Key Vault.
Learn how to set up the Azure Key Vault integration to enable automatic secrets sync to Azure Key Vault Resource Groups.
Prerequisites
- You have a Microsoft Azure account set up with a Resource Group and a Key Vault.
Authorization
There are two ways to authenticate Doppler with Azure Key Vault: Doppler's registered app and custom service principal. Doppler recommends authenticating with the Doppler registered app unless your organization requires authenticating via a custom service principal.
Doppler App
Navigate to the Doppler project and click Integrations from the submenu. Then select Azure Key Vault.
You'll then be redirected to the Azure Portal to approve Doppler's access to your Azure Key Vault.
Custom Service Principal
Navigate to the project and click Integrations from the submenu. Then select Azure Key Vault (SP). Leave this window open while we create a service principal for Doppler to use.
Go to the Azure Portal to open the Azure Active Directory. Click App registrations in the left menu and choose New registration.
Provide a name for the app, we'll use "doppler" in this example. Be sure to leave the Supported account types option set to Accounts in this organizational directory only (Single tenant) and leave the Redirect URI blank.
Click Register, then copy the Application (client) ID and Directory (tenant) ID to the Doppler dashboard.
Click Add a certificate or secret and then New client secret. You may adjust name and expiration parameters however you like.
Copy the secret Value to the Doppler dashboard but don't click Connect just yet.
The last step is to give the new service principal permission to access your vault. Open your vault in the Azure portal and click Access policies
Click Create and then choose the Secret Management template.
Search for the service principal that you just created and complete the remaining prompts.
Repeat this process for all Azure Vaults which Doppler needs access to.
Once finished, click Connect in the Doppler dashboard to create the integration.
Seeing a "Invalid Client Secret" Error?
It might take a minute or two for Azure's API to register the service principal and the associated secret. Just click Connect again to retry.
Configuration
Find your Azure Key Vault URI in the Azure Portal. Click on your Key Vault, go to the Essentials section, then copy the URI for the next step.
Select your Doppler config, enter your Azure Key Vault URI, and select your Sync Strategy to finish the setup. The Multi-Secret strategy will create a separate secret in Azure Key Vault for every secret in the Doppler config you're syncing.
The Single-Secret strategy will sync all secrets in the Doppler config you're syncing to a single secret in Azure as a JSON object. If you choose this option, then you need to specify the name of the secret you'd like to sync to. The name can be anything you like so long as it complies with Key Vault's secret name restrictions.
Then Click Set Up Integration to complete the setup process.
Underscore to dash conversion
Azure Key Vault does not support underscores and will replace them with dashes/hyphens. For example,
API_KEY
will be saved asAPI-KEY
in your Vault.
Your Azure Key Vault integration is set up! You can now view your secrets in the Azure Portal by clicking on the destination and selecting Secrets for your Key Vault:
Outstanding!
Now you know how to set up the Azure Key Vault integration to enable automatic secrets sync to Azure Key Vault Resource Groups.
Updated about 1 month ago