Azure Key Vault

Prev Next

To load secrets from Azure Key Vault, set the MAVERICS_SECRET_PROVIDER environment variable in the /etc/maverics/maverics.env file with the credentials attached to your service account application, using the following pattern:

MAVERICS_SECRET_PROVIDER='azurekeyvault://<KEYVAULT NAME>.vault.azure.net?clientID=<APP_CLIENT_ID>&clientSecret=<APP_CLIENT_SECRET>&tenantID=<TENANT_ID>'

In the Orchestrator's configuration file, use the resource name in Key Vault as the placeholder for any secrets.

Azure Key Vault certificates are also supported, but the certificate and key must be PEM encoded, and the file must be in the following format:

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----

As of February 2024, Azure does not support loading a PKCS1 .pem key file. If you have a PKCS1 .pem key file, it must be converted to PKCS8 before combining it with the certificate. You can convert PKCS1 to PKCS8 with the following command: openssl pkcs8 -topk8 -inform PEM -outform PEM -in rsa-private-key.pem -out pkcs8-private-key.pem -nocrypt

The file must be imported to the Certificates section, not as a Secret. For more information, see Tutorial: Import a certificate in Azure Key Vault.

In the orchestrator configuration, use the same certificate name from Key Vault for both certFile and keyFile fields. For example:

tls:
  maverics:
    certFile: <exampleCertPair>
    keyFile: <exampleCertPair>

connectors:
   - name: azure
     type: azure 
     authType: oauth
     oauthClientID: <exampleClientID>
     oauthClientSecret: <exampleClientSecret>
     # ...