To load secrets from Azure Key Vault, set the MAVERICS_SECRET_PROVIDER
environment variable in the /etc/maverics/maverics.env
file with the credentials attached to your service account application, using the following pattern:
MAVERICS_SECRET_PROVIDER='azurekeyvault://<KEYVAULT NAME>.vault.azure.net?clientID=<APP_CLIENT_ID>&clientSecret=<APP_CLIENT_SECRET>&tenantID=<TENANT_ID>'
In the Orchestrator's configuration file, use the resource name in Key Vault as the placeholder for any secrets.
Azure Key Vault certificates are also supported, but the certificate and key must be PEM encoded, and the file must be in the following format:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
As of February 2024, Azure does not support loading a PKCS1 .pem key file. If you have a PKCS1 .pem key file, it must be converted to PKCS8 before combining it with the certificate. You can convert PKCS1 to PKCS8 with the following command:
openssl pkcs8 -topk8 -inform PEM -outform PEM -in rsa-private-key.pem -out pkcs8-private-key.pem -nocrypt
The file must be imported to the Certificates section, not as a Secret. For more information, see Tutorial: Import a certificate in Azure Key Vault.
In the orchestrator configuration, use the same certificate name from Key Vault for both certFile
and keyFile
fields. For example:
tls:
maverics:
certFile: <exampleCertPair>
keyFile: <exampleCertPair>
connectors:
- name: azure
type: azure
authType: oauth
oauthClientID: <exampleClientID>
oauthClientSecret: <exampleClientSecret>
# ...