> ## Documentation Index
> Fetch the complete documentation index at: https://docs.strata.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Azure Key Vault

The Azure Key Vault secret provider connects the Orchestrator to Azure Key Vault for cloud-native secrets and certificate management. This provider authenticates using Microsoft Entra ID service principal credentials, making it suitable for Orchestrator deployments in any environment with Microsoft Entra ID access.

<Note>
  **Console terminology:** In the Maverics Console, Orchestrator instances and
  configuration delivery are managed through **Deployments**. When working directly
  with YAML, configuration is managed as files delivered via the `-config` flag or
  `MAVERICS_CONFIG` environment variable.
</Note>

## Overview

When configured with the Azure Key Vault provider, the Orchestrator authenticates to Azure using OAuth 2.0 Client Credentials with a service principal and pre-populates all enabled secrets from the specified Key Vault instance at startup. Azure Key Vault stores secrets, certificates, and cryptographic keys -- all accessible through the same provider configuration.

## Use Cases

* **Azure-native secret and certificate storage** -- store and manage Orchestrator secrets and TLS certificates in Key Vault with native Azure integration
* **Centralized secret management** -- manage all Orchestrator secrets in a single Key Vault with access policies and audit logging
* **Key rotation** -- leverage Azure Key Vault's versioning to rotate secrets and pick up new versions on Orchestrator restart

## Configuration

Secret providers are not configured in YAML. They are set via the `MAVERICS_SECRET_PROVIDER` environment variable or the `-secretProvider` CLI flag.

### Configuration via Environment Variable

```bash theme={null}
export MAVERICS_SECRET_PROVIDER="azurekeyvault://my-vault.vault.azure.net?clientID=<client-id>&clientSecret=<client-secret>&tenantID=<tenant-id>"
```

### Configuration via CLI Flag

```bash theme={null}
maverics -config maverics.yaml -secretProvider "azurekeyvault://my-vault.vault.azure.net?clientID=<client-id>&clientSecret=<client-secret>&tenantID=<tenant-id>"
```

### Referencing Secrets in YAML

Once the secret provider is configured, reference secrets in your Orchestrator YAML configuration using angle bracket syntax. The key in the angle brackets maps to the secret name in the Key Vault:

```yaml theme={null}
connectors:
  - name: my-idp
    oauthClientSecret: <my-client-secret>
```

At startup, the provider pre-populates all enabled secrets from the Key Vault. Secret names in the angle brackets must match the secret names stored in Azure Key Vault.

## Configuration Reference

### URL Structure

```
azurekeyvault://{vault-name}.vault.azure.net?clientID={id}&clientSecret={secret}&tenantID={tenant}
```

### URL Parameters

| Parameter      | Required | Description                                                                      |
| -------------- | -------- | -------------------------------------------------------------------------------- |
| Vault hostname | Yes      | The full hostname of the Azure Key Vault (e.g., `my-vault.vault.azure.net`)      |
| `clientID`     | Yes      | Microsoft Entra ID application (service principal) client ID                     |
| `clientSecret` | Yes      | Microsoft Entra ID application client secret                                     |
| `tenantID`     | Yes      | Microsoft Entra ID tenant ID                                                     |
| `entraIDHost`  | No       | Microsoft Entra ID authentication host. Defaults to `login.microsoftonline.com`. |

### Authentication

The provider authenticates to Azure using the OAuth 2.0 Client Credentials flow with the service principal credentials provided in the URL query parameters. It requests a token from the Entra ID token endpoint (`https://{entraIDHost}/{tenantID}/oauth2/v2.0/token`) scoped to the Key Vault.

## Troubleshooting

**"Unauthorized" or "403 Forbidden" when starting the Orchestrator**
Verify that the `clientID`, `clientSecret`, and `tenantID` query parameters are correct. Ensure the service principal has the `Get` and `List` permissions for secrets in the Key Vault access policy (or the `Key Vault Secrets User` RBAC role if using Azure RBAC).

**OAuth token errors**
Check that the `tenantID` is correct and that the service principal has not expired. If using a custom `entraIDHost`, verify it is reachable from the Orchestrator host.

**"VaultNotFound" error**
Confirm the vault hostname is correct and that the Key Vault exists in the expected Azure subscription. The hostname must include `.vault.azure.net`.

**Secrets not resolving in YAML configuration**
Ensure the angle bracket syntax matches the secret names in the Key Vault. The provider pre-populates all enabled secrets at startup -- only enabled secrets are available.

## Related Pages

<CardGroup cols={2}>
  <Card title="Secret Providers" icon="vault" href="/reference/orchestrator/configuration/secret-providers">
    Overview of all secret providers
  </Card>

  <Card title="AWS Secrets Manager" icon="cloud" href="/reference/orchestrator/configuration/secret-providers/aws-secrets-manager">
    Cloud-native secrets for AWS deployments
  </Card>
</CardGroup>
