Learn how to configure a Azure Key Vault Connection for Infisical.
Infisical supports three methods for connecting to Azure Key Vault: OAuth, Client Secret, and Certificate (SPN with certificate).
Self-Hosted Instance
Using the Azure Key Vault connection on a self-hosted instance of Infisical requires configuring an application in Azure
and registering your instance with it.Prerequisites:
Set up Azure and have an existing Key Vault instance.
1
Create an application in Azure
Navigate to Azure Active Directory > App registrations to create a new application.
Azure Active Directory is now Microsoft Entra ID.
Create the application. As part of the form, set the Redirect URI to https://your-domain.com/organization/app-connections/azure/oauth/callback.
The domain you defined in the Redirect URI should be equivalent to the SITE_URL configured in your Infisical instance.
2
Assign API permissions to the application
For the Azure Connection to work with Key Vault, you need to assign multiple permissions to the application.
Set the API permissions of the Azure application to include user.impersonation for the Key Vault API.
3
Add your application credentials to Infisical
Obtain the Application (Client) ID in Overview and generate a Client Secret in Certificate & secrets for your Azure application.Back in your Infisical instance, add two new environment variables for the credentials of your Azure application.
INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_ID: The Application (Client) ID of your Azure application.
INF_APP_CONNECTION_AZURE_KEY_VAULT_CLIENT_SECRET: The Client Secret of your Azure application.
Once added, restart your Infisical instance and use the Azure Key Vault connection.
Client Secret Authentication
To use client secret authentication, ensure your Azure Service Principal has the required permissions and is connected to the Azure Key Vault instances you want to use.Prerequisites:
Set up Azure and have an existing Key Vault instance.
The service principal must be connected to your target Azure Key Vault instance(s)
1
Assign API permissions to the service principal
Configure the required API permissions for your App Registration to interact with Azure Key Vault:
Set the API permissions of your Azure service principal to include user_impersonation for the Key Vault API.
Certificate Authentication
To use certificate authentication, ensure your Azure Service Principal has access to the Azure Key Vault instances you want to use. You’ll need a certificate uploaded to the App Registration and the matching private key kept locally.Prerequisites:
Set up Azure and have an existing Key Vault instance.
The service principal must be granted access to your target Azure Key Vault instance(s) via Access Policies or RBAC (e.g. the Key Vault Secrets Officer role).
A certificate (PEM) uploaded to your App Registration and the matching PEM private key.
1
Upload your certificate to your Azure App Registration
In the Azure Portal, navigate to your App Registration and open the Certificates & secrets section. Choose the Certificates tab and press the Upload certificate button. Select and upload your public certificate (PEM/CER/CRT).You will need both the certificate body and the matching private key (in PEM format) to configure the connection in Infisical.
Navigate to the Integrations tab in the desired project, then select App Connections.
2
Add Connection
Select the Azure Connection option from the connection options modal.
3
Create Connection
OAuth
Client Secret
Certificate
1
Authorize Connection
You can optionally authenticate against a specific tenant by providing the Azure Tenant or Directory ID.Now select the OAuth method and click Connect to Azure.
2
Grant Access
You will then be redirected to Azure to grant Infisical access to your Azure account. Once granted,
you will redirect you back to Infisical’s App Connections page.
1
Create Connection
Fill in the Tenant ID, Client ID, Client Secret fields with the Directory (Tenant) ID, Application (Client) ID, Client Secret you obtained in the previous step.
You can optionally enable Automatic Credential Rotation for this connection. See the Automatic Credential Rotation section below for details.
1
Create Connection
Select the Certificate method and fill in the following fields:
Tenant ID — the Directory (Tenant) ID of your Azure App Registration.
Client ID — the Application (Client) ID of your Azure App Registration.
Certificate — the PEM-encoded public certificate that was uploaded to the App Registration.
Private Key — the PEM-encoded private key matching the certificate above.
The private key is never transmitted to Azure; it is only used locally by Infisical to sign the client assertion used to authenticate with Azure.
Automatic Credential Rotation is not available for the Certificate authentication method.
4
Connection Created
Your Azure Key Vault Connection is now available for use.
When using the Client Secret authentication method, Infisical can automatically rotate the Client Secret of your Azure application on a recurring schedule. When enabled, Infisical will immediately generate a new Client Secret on connection creation and revoke the original one, ensuring that no external party retains access using the credentials you provided.
Automatic Credential Rotation is only available for the Client Secret authentication method.
1
Locate the Key ID of your Client Secret
Before enabling rotation, you’ll need the Key ID of the Client Secret you are using to authenticate. Navigate to your App Registration in the Azure Portal, then go to Certificates & secrets. Copy the Secret ID (Key ID) of the secret you are providing to Infisical.
2
Enable Automatic Credential Rotation
When creating or editing your connection, toggle on the Automatic Credential Rotation switch.
3
Provide the Client Secret Key ID
Enter the Key ID you copied in the previous step into the Client Secret Key ID field. Infisical uses this to revoke your original secret after generating a new one.
4
Configure the Rotation Schedule
Set the Rotation Interval (in days) to define how often the credential should be rotated, and set Rotate At to the local time of day at which the rotation should occur.
Rotation Interval – How many days between each rotation.
Rotate At – The local time of day at which the rotation will be triggered.