HashiCorp Cloud Platform
Integrate with Azure Key Vault
HCP Vault Secrets allows users to automatically synchronize application secrets to Azure Key Vault. This guide walks you through the configuration process.
Prerequisites:
- Existing Azure tenant, subscription, and Key Vault instance
- Ability to create app registrations and add role assignments
- An HCP Vault Secrets application and secret(s)
Create app registration and client secret
The HCP Vault Secrets integration with Azure requires an app registration in Azure EntraID and an existing Azure Key Vault instance.
Refer to the EntraID documentation for more information.
Navigate to the Register an application in the Azure Portal.
Provide a Name and select the Supported account types for the application.
Click Register.
Navigate to the EntraID overview page and click App registrations.
Click the app you previously created.
Make note of the Application (client) ID and Directory (tenant) ID. You will need these to configure the HCP Vault Secrets integration.
Click Certificates & secrets.
Click New client secret.
Enter a description and select the desired expriation period.
Click Add.
Make note of the client secret Value. You will need this to configure the HCP Vault Secrets integration.
Navigate to the desired Key Vault.
Click Access policies and click Create.
Under Secret permissions select Set, Delete, and Recover.
Under Privileged Secret Operations select Purge.
Click Next.
Search for and select the EntraID app previously created.
Click Next.
Click Next again, then click Create.
Note
In addition to access policies, Azure Key Vault also supports permission using roles. If you prefer using roles, click Access control (IAM) and add an assignment with the Key Vault Administrator job function role.
Return to the key vault overview page and make note of the Vault URI. You will need this to configure the HCP Vault Secrets integration.
Configure Azure Key Vault integration
Navigate to the HCP Vault Secrets app you would like to integrate with your Azure Key Vault.
Select Integrations from the sidebar and click Azure Key Vault.
If this is your first time configuring an Azure integration, you will be presented with the following fields:
Name: The unique identifier and display name for this integration. This value cannot be changed.
Key Vault URI: A URI of an existing Azure Key Vault instance where you want secrets to be synced.
Tenant ID: The Directory (tenant) ID of the Azure tenant where the target Azure Key Vault is deployed.
Client ID: Azure app registration's unique Application (client) ID.
Client Secret: The secret created for the app registration in Azure EntraID.
Note
If you are not familiar with how to register an app in Microsoft Azure, refer to the instructions at the bottom of this page.
Populate all fields and click Save and sync secrets.
The synchronization of existing app secrets into your Azure Key Vault will begin. All future modifications to the app's secrets such as adding, updating, or deleting a secret are automatically replicated to the target Azure Key Vault instance.