Integrate with Azure Key Vault

HCP Vault Secrets allows users to automatically synchronize application secrets to Azure Key Vault. This guide walks you through the configuration process.

Prerequisites:

Existing Azure tenant, subscription, and Key Vault instance
Ability to create app registrations and add role assignments
An HCP Vault Secrets application and secret(s)

Create app registration and client secret

The HCP Vault Secrets integration with Azure requires an app registration in Azure EntraID and an existing Azure Key Vault instance.

Refer to the EntraID documentation for more information.

Navigate to the Register an application in the Azure Portal.
Provide a Name and select the Supported account types for the application.
Click Register.
Navigate to the EntraID overview page and click App registrations.
Click the app you previously created.
Make note of the Application (client) ID and Directory (tenant) ID. You will need these to configure the HCP Vault Secrets integration.
Click Certificates & secrets.
Click New client secret.
Enter a description and select the desired expriation period.
Click Add.
Make note of the client secret Value. You will need this to configure the HCP Vault Secrets integration.
Navigate to the desired Key Vault.
Click Access policies and click Create.
Under Secret permissions select Set, Delete, and Recover.
Under Privileged Secret Operations select Purge.
Click Next.
Search for and select the EntraID app previously created.
Click Next.
Click Next again, then click Create.
Note
In addition to access policies, Azure Key Vault also supports permission using roles. If you prefer using roles, click Access control (IAM) and add an assignment with the Key Vault Administrator job function role.
Return to the key vault overview page and make note of the Vault URI. You will need this to configure the HCP Vault Secrets integration.

You can use the Terraform Azure provider to provision an app registration and client secret with the required policy.

Follow the Terraform documentation to authenticate the Azure provider.

Create a Terraform configuration to create the Azure EntraID app registration, and client secret.

provider "azuread" {
  # See https://registry.terraform.io/providers/hashicorp/azuread/latest/docs
}
provider "azurerm" {
  # See https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs for options on how to configure this provider.
  features {}
}
variable "key_vault_name" {
  description = "The name of the Key Vault to use."
}
variable "key_vault_location" {
  description = "The Azure region where the Key Vault is hosted."
}
variable "key_vault_resource_group_name" {
  description = "The name of the resource group where the Key Vault instance is part of."
}
data "azurerm_client_config" "current" {}
resource "azuread_application" "hcp_vault_secrets_integration" {
  display_name = "hcp-vault-secrets-sync"
}
resource "azuread_service_principal" "hcp_vault_secrets_integration" {
  client_id = azuread_application.hcp_vault_secrets_integration.client_id
}
resource "azuread_application_password" "hcp_vault_secrets_integration" {
  application_id = azuread_application.hcp_vault_secrets_integration.id
  end_date       = "2099-01-01T01:01:01Z" # Far-future expiration date, follow your organization's recommended policy
}
data "azurerm_resource_group" "hcp_vault_secrets_integration" {
  name     = var.key_vault_resource_group_name
}
data "azurerm_key_vault" "hcp_vault_secrets_integration" {
  name                = var.key_vault_name
  resource_group_name = data.azurerm_resource_group.hcp_vault_secrets_integration.name
}
resource "azurerm_key_vault_access_policy" "hcp_vault_secrets_integration" {
  key_vault_id = data.azurerm_key_vault.hcp_vault_secrets_integration.id
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id    = azuread_service_principal.hcp_vault_secrets_integration.object_id
  secret_permissions = [
    "Delete",
    "Set",
    "Purge",
  ]
}
output "key_vault_uri" {
  value = data.azurerm_key_vault.hcp_vault_secrets_integration.vault_uri
}
output "tenant_id" {
  value = data.azurerm_client_config.current.tenant_id
}
output "client_id" {
  value = azuread_application.hcp_vault_secrets_integration.client_id
}
output "client_secret" {
  value     = azuread_application_password.hcp_vault_secrets_integration.value
  sensitive = true # use terraform output -json to see the sensitive value if running locally
}

Initialize Terraform.

$ terraform init

...snip...

Terraform has been successfully initialized!

Run terraform apply to generate the client secret.
```
$ terraform apply
```

Copy the credentials from the Terraform output.

Apply complete! Resources: 6 added, 0 changed, 0 destroyed.

 Outputs:

 client_id = "db1f4605-c1af-4661-adfa-9fdc9b11111c"
 client_secret = <sensitive>
 key_vault_uri = "https://hcp-vault-secrets-sync.vault.azure.net/"
 tenant_id = "0f6774c2-86e4-4c9f-82ad-77c1123nh758"

Configure Azure Key Vault integration

Navigate to the HCP Vault Secrets app you would like to integrate with your Azure Key Vault.
Select Integrations from the sidebar and click Azure Key Vault.
If this is your first time configuring an Azure integration, you will be presented with the following fields:
- Name: The unique identifier and display name for this integration. This value cannot be changed.
- Key Vault URI: A URI of an existing Azure Key Vault instance where you want secrets to be synced.
- Tenant ID: The Directory (tenant) ID of the Azure tenant where the target Azure Key Vault is deployed.
- Client ID: Azure app registration's unique Application (client) ID.
- Client Secret: The secret created for the app registration in Azure EntraID.
  Note
  If you are not familiar with how to register an app in Microsoft Azure, refer to the instructions at the bottom of this page.
Populate all fields and click Save and sync secrets.
The synchronization of existing app secrets into your Azure Key Vault will begin. All future modifications to the app's secrets such as adding, updating, or deleting a secret are automatically replicated to the target Azure Key Vault instance.