Azure Key Vault

Detailed information on the Azure Key Vault cryptography component

Component format

A Dapr crypto.yaml component file has the following structure:

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: azurekeyvault
spec:
  type: crypto.azure.keyvault
  metadata:
  - name: vaultName
    value: mykeyvault
  # See authentication section below for all options
  - name: azureTenantId
    value: ${{AzureKeyVaultTenantId}}
  - name: azureClientId
    value: ${{AzureKeyVaultServicePrincipalClientId}}
  - name: azureClientSecret
    value: ${{AzureKeyVaultServicePrincipalClientSecret}}

Warning

The above example uses secrets as plain strings. It is recommended to use a secret store for the secrets, as described here.

Authenticating with Microsoft Entra ID

The Azure Key Vault cryptography component supports authentication with Microsoft Entra ID only. Before you enable this component:

Read the Authenticating to Azure document.
Create an Microsoft Entra ID application (also called a Service Principal).
Alternatively, create a managed identity for your application platform.

Spec metadata fields

Field	Required	Details	Example
`vaultName`	Y	Azure Key Vault name	`“mykeyvault”`
Auth metadata	Y	See Authenticating to Azure for more information

Azure Key Vault

Azure Key Vault

Component format

Warning

Authenticating with Microsoft Entra ID

Spec metadata fields

Related links