Azure Key Vault Credential Provider Secret Path Expressions

Use the path expressions listed in this topic to use the Azure Key Vault credential providers in your source authentication configurations.

The Azure Key Vault Credential Provider can provide any field supported by Azure Key Vault , such as username and password secrets.

Generic Path Syntax

For Secrets: secrets://{credential-provider-source-name}/{secret-identifier}/{secret-key}

For Keys: secrets://{credential-provider-source-name}/{key-identifier}/{secret-key}

For Certificates: secrets://{credential-provider-source-name}/{certificate-identifier}/{secret-key}

The following is an explanation of the attributes of this URL:

  • credential-provider-source-name – The name of the credential provider source configured in ISC.

  • secret-identifier – The unique identifier of the secret created in Azure Key Vault.

  • key- identifier – The Unique identifier of the key created in Azure Key Vault.

  • certificate-identifier – The Unique identifier of the certificate created in Azure Key Vault.

  • secret-key – The name of the specific attribute whose value needs to be obtained from JSON response.

Important
The secret-identifier, key-identifier, and certificate-identifier include a version ID. To always fetch the latest value of the secret, key, or certificate, omit the version ID from the identifiers.

Note
The Unique Identifier of secrets, keys and certificates can be obtained by navigating to Key vaults > KeyVaultName > Objects > Secrets/Keys/Certificates > SecretName > LatestVersion

Note
The reference examples provided on this page are for Secrets; similarly, follow the same approach for Keys and Certificates.

Before Encoding

  • Using Secret ARN:

secrets://azure-key-vault/https://jubileecpkeyvault.vault.azure.net/keys/HarshalFirstKey/value

Note

It is recommended to omit the version ID from secret, key, or certificate identifiers to always fetch the latest value.

Example: The secret identifier below includes a version ID:

https://jubileecpkeyvault.vault.azure.net/secrets/HarshalFirstKey/e5a9dd5cc1284a4caa5bef8cd733feab

The recommended approach is to omit the version ID from the identifier, ensuring that the latest value is always retrieved:

https://jubileecpkeyvault.vault.azure.net/secrets/HarshalFirstKey

Important
The URL path should always start with the prefix, secrets://. Each attribute in the URL path must be URL-encoded. Each URL attribute in the path is case-sensitive.

After Encoding

After you encode the URL path, it should appear as follows:

  • Using Secret ARN:

secrets://azure-key-vault/https%3A%2F%2Fjubileecpkeyvault.vault.azure.net%2Fkeys%2FHarshalFirstKey/value

The following is an explanation of the attributes of this URL:

  • Azure-key-vault – Configured Credential Provider on ISC.

  • https%3A%2F%2Fjubileecpkeyvault.vault.azure.net%2Fkeys%2FHarshalFirstKey – Secret Identifier of the secret.

  • value – The name of the secret which needs to be fetched from the JSON response.

Tip
Use urlencoder.org to encode your URL attributes.

If any secret paths have a prefix or a suffix, you must append a query parameter to the secret path as follows:

  • To add a prefix – ?prefix=<prefix>

    For example, if the secret value returned after evaluation is LocalAdmin, but the complete value required by the secret field is DomainOne\LocalAdmin then the secret path expression will be as follows to add the required prefix:

    secrets://azure-key-vault/https%3A%2F%2Fjubileecpkeyvault.vault.azure.net%2Fkeys%2FHarshalFirstKey/value?prefix=DomainOne%5C

  • To add a suffix – ?suffix=<suffix>

    For example, if the secret value returned after evaluation is localadministrator, but the complete value required by the secret field is localadminstrator@sp.com then the secret path expression will be as follows to add the required suffix:

    secrets://azure-key-vault/https%3A%2F%2Fjubileecpkeyvault.vault.azure.net%2Fkeys%2FHarshalFirstKey/value?suffix=%40sp.com

  • To add a prefix and suffix – ?prefix=<prefix>&suffix=<suffix>

    For example, if the secret value returned after evaluation is LocalAdmin, but the complete value required by the secret field is DomainOne\LocalAdmin@sp.com then the secret path expression will be as follows to add the required prefix and suffix:

    secrets://azure-key-vault/https%3A%2F%2Fjubileecpkeyvault.vault.azure.net%2Fkeys%2FHarshalFirstKey/value?prefix=DomainOne%5C&suffix=%40sp.com

Important
All input parameters must be encoded.

Standard format for credential path

secrets://{credentialpprovider-source}/{secretidentifier}/{secretKey}?prefix=someValue&suffix=someValue2

Important
Prefix and Suffix are optional.