Console terminology: In the Maverics Console, Orchestrator instances and
configuration delivery are managed through Deployments. When working directly
with YAML, configuration is managed as files delivered via the
-config flag or
MAVERICS_CONFIG environment variable.Overview
When configured with the Azure Key Vault provider, the Orchestrator authenticates to Azure using OAuth 2.0 Client Credentials with a service principal and pre-populates all enabled secrets from the specified Key Vault instance at startup. Azure Key Vault stores secrets, certificates, and cryptographic keys — all accessible through the same provider configuration.Use Cases
- Azure-native secret and certificate storage — store and manage Orchestrator secrets and TLS certificates in Key Vault with native Azure integration
- Centralized secret management — manage all Orchestrator secrets in a single Key Vault with access policies and audit logging
- Key rotation — leverage Azure Key Vault’s versioning to rotate secrets and pick up new versions on Orchestrator restart
Configuration
Secret providers are not configured in YAML. They are set via theMAVERICS_SECRET_PROVIDER environment variable or the -secretProvider CLI flag.
Configuration via Environment Variable
Configuration via CLI Flag
Referencing Secrets in YAML
Once the secret provider is configured, reference secrets in your Orchestrator YAML configuration using angle bracket syntax. The key in the angle brackets maps to the secret name in the Key Vault:Configuration Reference
URL Structure
URL Parameters
| Parameter | Required | Description |
|---|---|---|
| Vault hostname | Yes | The full hostname of the Azure Key Vault (e.g., my-vault.vault.azure.net) |
clientID | Yes | Microsoft Entra ID application (service principal) client ID |
clientSecret | Yes | Microsoft Entra ID application client secret |
tenantID | Yes | Microsoft Entra ID tenant ID |
entraIDHost | No | Microsoft Entra ID authentication host. Defaults to login.microsoftonline.com. |
Authentication
The provider authenticates to Azure using the OAuth 2.0 Client Credentials flow with the service principal credentials provided in the URL query parameters. It requests a token from the Entra ID token endpoint (https://{entraIDHost}/{tenantID}/oauth2/v2.0/token) scoped to the Key Vault.
Troubleshooting
“Unauthorized” or “403 Forbidden” when starting the Orchestrator Verify that theclientID, clientSecret, and tenantID query parameters are correct. Ensure the service principal has the Get and List permissions for secrets in the Key Vault access policy (or the Key Vault Secrets User RBAC role if using Azure RBAC).
OAuth token errors
Check that the tenantID is correct and that the service principal has not expired. If using a custom entraIDHost, verify it is reachable from the Orchestrator host.
“VaultNotFound” error
Confirm the vault hostname is correct and that the Key Vault exists in the expected Azure subscription. The hostname must include .vault.azure.net.
Secrets not resolving in YAML configuration
Ensure the angle bracket syntax matches the secret names in the Key Vault. The provider pre-populates all enabled secrets at startup — only enabled secrets are available.