Skip to content

Key Vault

aws sm

Azure Key vault

External Secrets Operator integrates with Azure Key vault for secrets, certificates and Keys management.


At the moment, we only support service principals authentication.

Service Principal key authentication

A service Principal client and Secret is created and the JSON keyfile is stored in a Kind=Secret. The ClientID and ClientSecret should be configured for the secret. This service principal should have proper access rights to the keyvault to be managed by the operator

apiVersion: v1
kind: Secret
  name: azure-secret-sp
type: Opaque
  ClientID: bXktc2VydmljZS1wcmluY2lwbGUtY2xpZW50LWlkCg==  #service-principal-ID
  ClientSecret: bXktc2VydmljZS1wcmluY2lwbGUtY2xpZW50LXNlY3JldAo= #service-principal-secret

Update secret store

Be sure the azkv provider is listed in the Kind=SecretStore

kind: SecretStore
  name: example-secret-store
    # provider type: azure keyvault
      # azure tenant ID, see:
      tenantId: "d3bc2180-xxxx-xxxx-xxxx-154105743342"
      # URL of your vault instance, see:
      vaultUrl: ""
        # points to the secret that contains
        # the azure service principal credentials
          name: azure-secret-sp
          key: ClientID
          name: azure-secret-sp
          key: ClientSecret

Object Types

Azure KeyVault manages different object types, we support keys, secrets and certificates. Simply prefix the key with key, secret or cert to retrieve the desired type (defaults to secret).

Object Type Return Value
secret the raw secret value.
key A JWK which contains the public key. Azure KeyVault does not export the private key. You may want to use template functions to transform this JWK into PEM encoded PKIX ASN.1 DER format.
certificate The raw CER contents of the x509 certificate. You may want to use template functions to transform this into your desired encoding

Creating external secret

To create a kubernetes secret from the Azure Key vault secret a Kind=ExternalSecret is needed.

You can manage keys/secrets/certificates saved inside the keyvault , by setting a "/" prefixed type in the secret name , the default type is a secret. other supported values are cert and key

to select all secrets inside the key vault , you can use the dataFrom directive

kind: ExternalSecret
  name: example-external-secret
  refreshInterval: 1h
    kind: SecretStore
    name: example-secret-store

    name: secret-to-be-created
    creationPolicy: Owner

  # name of the SECRET in the Azure KV (no prefix is by default a SECRET)
  - secretKey: dev-secret-test
      key: dev-secret-test

  # explicit type and name of secret in the Azure KV
  - secretKey: dev-another-secret-test
      key: secret/dev-secret-test

  # type/name of certificate in the Azure KV
  # raw value will be returned, use templating features for data processing
  - secretKey: dev-cert-test
      key: cert/dev-cert-test

  # type/name of the public key in the Azure KV
  # the key is returned PEM encoded
  - secretKey: dev-key-test
      key: key/dev-key-test

  # dataFrom , return ALL secrets saved in the referenced secretStore
  # each secret name in the KV will be used as the secret key in the SECRET k8s target object
  - name: "*"

The operator will fetch the Azure Key vault secret and inject it as a Kind=Secret

kubectl get secret secret-to-be-created -n <namespace> | -o jsonpath='{}' | base64 -d