Azure Key Vault

Detailed information on the Azure Key Vault cryptography component

Component format

A Dapr crypto.yaml component file has the following structure:

  1. apiVersion: dapr.io/v1alpha1
  2. kind: Component
  3. metadata:
  4. name: azurekeyvault
  5. spec:
  6. type: crypto.azure.keyvault
  7. metadata:
  8. - name: vaultName
  9. value: mykeyvault
  10. # See authentication section below for all options
  11. - name: azureTenantId
  12. value: ${{AzureKeyVaultTenantId}}
  13. - name: azureClientId
  14. value: ${{AzureKeyVaultServicePrincipalClientId}}
  15. - name: azureClientSecret
  16. value: ${{AzureKeyVaultServicePrincipalClientSecret}}

Warning

The above example uses secrets as plain strings. It is recommended to use a secret store for the secrets, as described here.

Authenticating with Microsoft Entra ID

The Azure Key Vault cryptography component supports authentication with Microsoft Entra ID only. Before you enable this component:

  1. Read the Authenticating to Azure document.
  2. Create an Microsoft Entra ID application (also called a Service Principal).
  3. Alternatively, create a managed identity for your application platform.

Spec metadata fields

FieldRequiredDetailsExample
vaultNameYAzure Key Vault name“mykeyvault”
Auth metadataYSee Authenticating to Azure for more information

Last modified October 11, 2024: Fixed typo (#4389) (fe17926)