Skip to main content
The Azure Key Vault secret provider connects the Orchestrator to Azure Key Vault for cloud-native secrets and certificate management. This provider integrates natively with Azure managed identities, making it ideal for Orchestrator deployments running on Azure infrastructure.
Console terminology: In the Maverics Console, Orchestrator instances and configuration delivery are managed through Deployments. When working directly with YAML, configuration is managed as files delivered via the -config flag or MAVERICS_CONFIG environment variable.

Overview

When configured with the Azure Key Vault provider, the Orchestrator authenticates to Azure using the default SDK credential chain and retrieves secrets from a specified Key Vault instance. The provider supports managed identity authentication (recommended for Azure VMs, App Services, and AKS) as well as service principal credentials. Azure Key Vault stores secrets, certificates, and cryptographic keys — all accessible through the same provider configuration.

Use Cases

  • Azure-native secret and certificate storage — store and manage Orchestrator secrets and TLS certificates in Key Vault with native Azure integration
  • Managed identity integration — authenticate to Key Vault without managing credentials by using Azure managed identities
  • Key rotation — leverage Azure Key Vault’s versioning to rotate secrets and automatically pick up new versions

Configuration

Secret providers are not configured in YAML. They are set via the MAVERICS_SECRET_PROVIDER environment variable or the -secretProvider CLI flag.
Console UI documentation is coming soon. This section will walk you through configuring this component using the Maverics Console’s visual interface, including step-by-step screenshots and field descriptions.

Configuration via Environment Variable

export MAVERICS_SECRET_PROVIDER="azurekeyvault://my-vault.vault.azure.net"

Configuration via CLI Flag

maverics -config maverics.yaml -secretProvider "azurekeyvault://my-vault.vault.azure.net"

Referencing Secrets in YAML

Once the secret provider is configured, reference secrets in your Orchestrator YAML configuration using angle bracket syntax: 
connectors:
  - name: my-idp
    oauthClientSecret: <maverics.client_secret>

Configuration Reference

URL Structure

azurekeyvault://{vault-name}.vault.azure.net

URL Parameters

ParameterRequiredDescription
Vault hostnameYesThe full hostname of the Azure Key Vault (e.g., my-vault.vault.azure.net)

Azure Credential Resolution

The provider uses the default Azure SDK credential chain to authenticate. Credentials are resolved in the following order:
  1. Environment variablesAZURE_CLIENT_ID, AZURE_TENANT_ID, and AZURE_CLIENT_SECRET (service principal)
  2. Managed identity — system-assigned or user-assigned managed identity (recommended for Azure VMs and AKS)
  3. Azure CLI — credentials from an active az login session (useful for local development)
For production deployments, use managed identities instead of service principal credentials. Managed identities automatically rotate credentials and do not require client secrets to be stored on the host.

Troubleshooting

“Unauthorized” or “403 Forbidden” when starting the Orchestrator Verify that the managed identity or service principal has the Get permission for secrets in the Key Vault access policy (or the Key Vault Secrets User RBAC role if using Azure RBAC). “VaultNotFound” error Confirm the vault hostname is correct and that the Key Vault exists in the expected Azure subscription. The hostname must include .vault.azure.net. Secrets not resolving in YAML configuration Ensure the angle bracket syntax matches the secret names in the Key Vault. Secret names in Azure Key Vault are case-insensitive but must match exactly in the Orchestrator configuration.

Secret Providers

Overview of all secret providers

AWS Secrets Manager

Cloud-native secrets for AWS deployments