Azure Key Vault
Azure Key Vault is Microsoft's cloud service for securely storing secrets, keys, and certificates. The EnvManager Azure Key Vault integration allows you to automatically sync your environment variables from EnvManager directly to secrets in your Azure Key Vault.
When you connect Azure Key Vault to EnvManager, each variable is stored as an individual secret in your vault. No more manually creating secrets or copying values between tools.
What You Can Do
With the Azure Key Vault integration, you can:
- Connect your Azure Key Vault with a secure app registration and client secret
- Sync variables as secrets — each variable becomes its own secret in Key Vault
- Use a name prefix to namespace your secrets and avoid conflicts with existing ones
- Choose which environments to sync — control exactly which EnvManager environments push to Azure
- Automatic syncing — secrets update in Azure whenever you change variables in EnvManager
- Manual sync control — trigger syncs on demand when you need them
- Track sync history — see when secrets were synced and if any errors occurred
Before You Begin
To connect Azure Key Vault, you need:
- An EnvManager account with a project created
- An Azure account with an active subscription
- Admin or Owner role in your EnvManager organization (required to manage integrations)
- An Azure Key Vault instance
- An Azure AD App Registration with a client secret
- The app registration must have the Key Vault Secrets Officer role on the vault
The sections below walk you through creating a Key Vault, setting up an app registration, and assigning the correct permissions.
How to Create a Key Vault
If you already have an Azure Key Vault, you can skip to the next section.
Open the Azure Portal
Go to portal.azure.com and sign in with your Azure account.
Navigate to Key Vaults
In the search bar at the top, type Key vaults and select it from the results.
Create a New Key Vault
Click Create at the top of the Key Vaults page.
Fill In Vault Details
- Subscription: Select your Azure subscription
- Resource group: Choose an existing resource group or create a new one
- Key vault name: Choose a unique name (e.g.,
envmanager-secrets) - Region: Select the region closest to your application
Leave the remaining settings at their defaults and click Review + create, then Create.
Note the Vault URI
Once the vault is created, go to the vault's Overview page. Copy the Vault URI — it looks like https://myvault.vault.azure.net. You'll need this when connecting in EnvManager.
Already have a vault? You can find the Vault URI on the vault's Overview page in the Azure Portal. You can skip this section if your vault is already set up.
How to Create an App Registration
EnvManager connects to Azure using an app registration (service principal), not your personal Azure account. This limits access to only what's needed.
Open Azure Active Directory
In the Azure Portal, search for Azure Active Directory in the top search bar and select it.
Navigate to App Registrations
In the left menu, click App registrations.
Create a New Registration
Click New registration at the top of the page.
Fill In Registration Details
- Name:
envmanager-sync(or any name you prefer) - Supported account types: Select Accounts in this organizational directory only
- Redirect URI: Leave blank
Click Register.
Note the Tenant ID and Client ID
On the app registration's Overview page, copy two values:
- Directory (tenant) ID — your Azure AD tenant identifier
- Application (client) ID — the unique ID for this app registration
You'll need both when connecting in EnvManager.
Create a Client Secret
- In the left menu, click Certificates & secrets
- Click New client secret
- Add a description (e.g.,
EnvManager sync) and choose an expiration period - Click Add
Copy the secret Value immediately — it is only shown once. Do not copy the "Secret ID", you need the Value field.
Security Note: The client secret grants access to your Azure Key Vault. Do not commit it to version control or share it publicly. EnvManager stores the credentials encrypted. Azure client secrets expire based on the expiration period you chose — you'll need to create a new one when it expires.
How to Assign Key Vault Access
The app registration needs permission to read and write secrets in your Key Vault.
Open Your Key Vault
In the Azure Portal, navigate to your Key Vault.
Open Access Control
In the left menu, click Access control (IAM).
Add a Role Assignment
Click Add at the top, then select Add role assignment.
Select the Role
In the Role tab, search for Key Vault Secrets Officer and select it. Click Next.
Assign to the App Registration
- In the Members tab, click Select members
- Search for the app registration name you created (e.g.,
envmanager-sync) - Select it and click Select
- Click Review + assign, then Review + assign again to confirm
Why Key Vault Secrets Officer? This role allows EnvManager to create, update, and read secrets in the vault. It does not grant access to keys or certificates, keeping permissions scoped to what's needed.
Connecting Your Azure Key Vault
Navigate to Integrations
From your EnvManager project, click the Integrations tab in the navigation menu.
Open the Azure Key Vault Connection Modal
Find the Azure Key Vault card and click the Connect button.
Enter Connection Details
Fill in the form:
- Connection Name — Give this connection a friendly name (e.g., "Production Azure Vault")
- Tenant ID — The Directory (tenant) ID from your app registration
- Client ID — The Application (client) ID from your app registration
- Client Secret — The secret Value you copied when creating the client secret
- Vault URL — The Vault URI from your Key Vault (e.g.,
https://myvault.vault.azure.net)
Validate Credentials
Click Validate Credentials to test the connection. EnvManager will check that:
- The tenant ID, client ID, and client secret are valid
- The app registration has access to the specified Key Vault
- The vault exists and is reachable
You'll see a success indicator and your vault name confirmed once validation passes.
Complete the Connection
Click Connect to save the connection. Your Azure Key Vault is now linked to this EnvManager organization.
Configuring Your Sync
After connecting Azure Key Vault, you need to configure which environments sync and how secrets are named.
Open Configuration
On the Azure Key Vault integration card, click Configure to open the sync configuration modal.
Enable Environments for Sync
You'll see a list of your EnvManager environments. Toggle on each environment you want to sync to Azure Key Vault.
You can enable all environments or just specific ones — for example, only syncing your Production environment.
Set an Optional Secret Name Prefix
A prefix is added to the beginning of every secret name in Azure. This is useful to:
- Namespace your secrets (e.g.,
myapp-so secrets appear asmyapp-DATABASE-URL) - Avoid naming conflicts with existing secrets in your vault
- Identify which secrets were created by EnvManager
Leave this field empty if you don't need a prefix.
Configure Sync Options
Choose what and when to sync:
| Option | Description | Recommended |
|---|---|---|
| Auto-sync | Automatically sync when variables change in EnvManager | Enabled for most use cases |
| Sync secrets | Include secret variables | Enabled |
| Sync regular variables | Include non-secret variables | Enabled |
Save Configuration
Review your settings and click Save Configuration. Your sync is now active.
Syncing Variables
Automatic Syncing
If you enabled auto-sync, EnvManager will automatically push variables to Azure Key Vault whenever:
- You add a new variable (creates a new secret)
- You edit an existing variable's value (updates the secret with a new version)
- You delete a variable (the secret remains in Azure — it is not deleted)
Changes typically appear in Azure within seconds.
Manual Syncing
You can trigger a sync manually at any time:
Click Sync Now
On the Azure Key Vault integration card, click the Sync Now button.
Watch the Progress
A progress indicator shows the sync status. The sync will:
- Gather variables from enabled EnvManager environments
- Create or update each variable as a secret in Azure Key Vault
- Report success or errors per environment
Verify in Azure Portal
Open your Key Vault in the Azure Portal and click Secrets in the left menu to confirm secrets appeared correctly.
Manual sync is useful when setting up the integration for the first time or when you want to immediately verify a change reached Azure.
Secret Naming in Azure
Azure Key Vault enforces strict naming rules that differ from other cloud providers. EnvManager automatically converts your variable names to comply:
- Only letters, numbers, and hyphens (
-) are allowed - Underscores are NOT allowed — they are automatically converted to hyphens
- Maximum length is 127 characters
If you set a prefix, it is prepended before this conversion step:
| EnvManager Variable | Prefix | Azure Secret Name |
|---|---|---|
DATABASE_URL | (none) | DATABASE-URL |
DATABASE_URL | myapp- | myapp-DATABASE-URL |
NEXT_PUBLIC_API | prod- | prod-NEXT-PUBLIC-API |
Underscore conversion: Because Azure Key Vault does not allow underscores in secret names, all underscores in your variable names are automatically replaced with hyphens. Keep this in mind when referencing secrets in your Azure application code — use hyphens instead of underscores.
Secret versions: Every time a variable value changes, Azure Key Vault stores it as a new version of the existing secret. Previous versions are retained by Azure, so you have a full history of value changes.
Managing Your Connection
Updating Configuration
To change which environments sync or update the prefix:
- Click Configure on the Azure Key Vault integration card
- Make your changes
- Click Save Configuration
The new configuration takes effect immediately for the next sync.
Disconnecting Azure Key Vault
To remove the Azure Key Vault integration:
- Click the Disconnect button on the integration card
- Confirm the disconnection in the dialog that appears
Important: Disconnecting does NOT remove secrets from Azure Key Vault. Your secrets remain in Azure, but future changes in EnvManager won't sync. You can manually delete secrets from the Azure Portal if needed.
Reconnecting
If you disconnect and want to reconnect later:
- Click Connect again and go through the connection process
- You can use the same app registration credentials or create a new client secret
- You'll need to reconfigure your environment toggles and prefix
Tips & Best Practices
Start with Manual Sync
When setting up the integration for the first time:
- Configure with auto-sync disabled
- Trigger a manual sync to verify secrets appear in Azure Key Vault
- Confirm the secret names and values look correct in the Azure Portal
- Enable auto-sync once you're confident everything is working
Use a Prefix to Namespace Your Secrets
If your Azure Key Vault is used for multiple applications or already has existing secrets, use a prefix to keep EnvManager-managed secrets clearly identified. For example, myapp-prod- makes it obvious which secrets belong to this application and environment.
Rotate Client Secrets Before They Expire
Unlike GCP service account keys, Azure client secrets have a set expiration date. Set a reminder to create a new client secret before the current one expires:
- Create a new client secret in the app registration
- Update the connection in EnvManager by disconnecting and reconnecting with the new secret
- Delete the old client secret from the app registration
Limit App Registration Permissions
The Key Vault Secrets Officer role is scoped to secrets only. Avoid granting broader roles like Contributor or Owner on the vault — they provide more access than EnvManager needs.
Troubleshooting
"Permission denied" error during validation or sync
Cause: The app registration does not have the Key Vault Secrets Officer role on your vault.
Solution:
- Go to your Key Vault in the Azure Portal
- Click Access control (IAM) in the left menu
- Click Role assignments and search for your app registration
- Confirm it has the Key Vault Secrets Officer role
- If the role is missing, follow the steps in How to Assign Key Vault Access
"Key Vault not found" error
Cause: The Vault URL is incorrect or the vault has been deleted.
Solution:
- Verify the Vault URL format — it should be
https://<vault-name>.vault.azure.net - Check that the vault exists in the Azure Portal under Key vaults
- Ensure there are no typos in the vault name
- Confirm the vault is in the same Azure AD tenant as your app registration
"Invalid credentials" error during validation
Cause: The tenant ID, client ID, or client secret is incorrect or expired.
Solution:
- Open your app registration in the Azure Portal and verify the Tenant ID and Client ID match what you entered in EnvManager
- If the client secret has expired, create a new one under Certificates & secrets
- Make sure you copied the secret Value, not the Secret ID
- Re-enter the credentials in EnvManager and try validation again
"Client secret expired" error
Cause: Azure client secrets have a set expiration date, and your secret has expired.
Solution:
- Go to your app registration in the Azure Portal
- Click Certificates & secrets in the left menu
- Create a new client secret and copy the Value
- Disconnect the Azure Key Vault integration in EnvManager
- Reconnect with the new client secret
Variables not appearing in Azure Key Vault
Cause: The sync may have failed, or the environment is not enabled for sync.
Solution:
- Click Configure and verify that the relevant environments are toggled on
- Check the sync history for error messages on the integration card
- Trigger a manual sync and watch for errors
- Confirm the correct vault is connected by checking the Vault URL shown on the integration card
Auto-sync not triggering
Cause: Auto-sync may be disabled in the configuration, or the sync is failing silently.
Solution:
- Click Configure and verify Auto-sync is enabled
- Check the sync history for recent failed syncs
- Try a manual sync to confirm the connection is still working
- If the client secret was rotated or expired, reconnect with a valid secret
Related Topics
Variables Overview
Learn how to create and manage variables in EnvManager.
Environments
Understand environments and how they organize your variables.
Google Cloud Integration
Sync variables to Google Cloud Secret Manager.
Access Control
Manage who can configure integrations and sync variables.