Azure Key Vault

Learn how to easily sync environment variables to Azure Key Vault.

Learn how to set up the Azure Key Vault integration to enable automatic secrets sync to Azure Key Vault Resource Groups.

Prerequisites

Authorization

There are two ways to authenticate Doppler with Azure Key Vault: Doppler's registered app and custom service principal. Doppler recommends authenticating with the Doppler registered app unless your organization requires authenticating via a custom service principal.

Doppler App

Navigate to the Doppler project and click Integrations from the submenu. Then select Azure Key Vault.

You'll then be redirected to the Azure Portal to approve Doppler's access to your Azure Key Vault.

Custom Service Principal

Navigate to the project and click Integrations from the submenu. Then select Azure Key Vault (SP). Leave this window open while we create a service principal for Doppler to use.

Go to the Azure Portal to open the Azure Active Directory. Click App registrations in the left menu and choose New registration.

Provide a name for the app, we'll use "doppler" in this example. Be sure to leave the Supported account types option set to Accounts in this organizational directory only (Single tenant) and leave the Redirect URI blank.

Click Register, then copy the Application (client) ID and Directory (tenant) ID to the Doppler dashboard.

Click Add a certificate or secret and then New client secret. You may adjust name and expiration parameters however you like.

Copy the secret Value to the Doppler dashboard but don't click Connect just yet.

The last step is to give the new service principal permission to access your vault. Open your vault in the Azure portal and click Access policies

Click Create and then choose the Secret Management template.

Search for the service principal that you just created and complete the remaining prompts.

Repeat this process for all Azure Vaults which Doppler needs access to.

Once finished, click Connect in the Doppler dashboard to create the integration.

📘

Seeing a "Invalid Client Secret" Error?

It might take a minute or two for Azure's API to register the service principal and the associated secret. Just click Connect again to retry.

Configuration

Find your Azure Key Vault URI in the Azure Portal. Click on your Key Vault, go to the Essentials section, then copy the URI for the next step.

Select your Doppler config and enter your Azure Key Vault URI to finish the setup.

Then Click Set Up Integration to complete the setup process.

🚧

Underscore to dash conversion

Azure Key Vault does not support underscores and will replace them with dashes/hyphens. For example, API_KEY will be saved as API-KEY in your Vault.

Your Azure Key Vault integration is set up! You can now view your secrets in the Azure Portal by clicking on the destination and selecting Secrets for your Key Vault:

👍

Outstanding!

Now you know how to set up the Azure Key Vault integration to enable automatic secrets sync to Azure Key Vault Resource Groups.