Azure Key Vault
Detailed information on the Azure Key Vault cryptography component
Component format
A Dapr crypto.yaml component file has the following structure:
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: azurekeyvault
spec:
type: crypto.azure.keyvault
metadata:
- name: vaultName
value: mykeyvault
# See authentication section below for all options
- name: azureTenantId
value: ${{AzureKeyVaultTenantId}}
- name: azureClientId
value: ${{AzureKeyVaultServicePrincipalClientId}}
- name: azureClientSecret
value: ${{AzureKeyVaultServicePrincipalClientSecret}}
Warning
The above example uses secrets as plain strings. It is recommended to use a secret store for the secrets, as described here.Authenticating with Microsoft Entra ID
The Azure Key Vault cryptography component supports authentication with Microsoft Entra ID only. Before you enable this component:
- Read the Authenticating to Azure document.
- Create an Microsoft Entra ID application (also called a Service Principal).
- Alternatively, create a managed identity for your application platform.
Spec metadata fields
| Field | Required | Details | Example |
|---|---|---|---|
vaultName |
Y | Azure Key Vault name | "mykeyvault" |
| Auth metadata | Y | See Authenticating to Azure for more information |
Related links
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
Last modified September 2, 2025: Add kapa.ai script (#4853) (d248b76)