Azure Key Vault Credential Provider Secret Path Expressions
Use the path expressions listed in this topic to use the Azure Key Vault credential providers in your source authentication configurations.
The Azure Key Vault Credential Provider can provide any field supported by Azure Key Vault , such as username and password secrets.
Generic Path Syntax
For Secrets: secrets://{credential-provider-source-name}/{secret-identifier}/{secret-key}
For Keys: secrets://{credential-provider-source-name}/{key-identifier}/{secret-key}
For Certificates: secrets://{credential-provider-source-name}/{certificate-identifier}/{secret-key}
The following is an explanation of the attributes of this URL:
-
credential-provider-source-name – The name of the credential provider source configured in ISC.
-
secret-identifier – The unique identifier of the secret created in Azure Key Vault.
-
key- identifier – The Unique identifier of the key created in Azure Key Vault.
-
certificate-identifier – The Unique identifier of the certificate created in Azure Key Vault.
-
secret-key – The name of the specific attribute whose value needs to be obtained from JSON response.
Important
The secret-identifier, key-identifier, and certificate-identifier include a version ID. To always fetch the latest value of the secret, key, or certificate, omit the version ID from the identifiers.
Note
The Unique Identifier of secrets, keys and certificates can be obtained by navigating to Key vaults > KeyVaultName > Objects > Secrets/Keys/Certificates > SecretName > LatestVersion

Note
The reference examples provided on this page are for Secrets; similarly, follow the same approach for Keys and Certificates.
Before Encoding
-
Using Secret ARN:
secrets://azure-key-vault/https://jubileecpkeyvault.vault.azure.net/keys/HarshalFirstKey/value
Note
It is recommended to omit the version ID from secret, key, or certificate identifiers to always fetch the latest value.
Example: The secret identifier below includes a version ID:
https://jubileecpkeyvault.vault.azure.net/secrets/HarshalFirstKey/e5a9dd5cc1284a4caa5bef8cd733feab
The recommended approach is to omit the version ID from the identifier, ensuring that the latest value is always retrieved:
https://jubileecpkeyvault.vault.azure.net/secrets/HarshalFirstKey
Important
The URL path should always start with the prefix, secrets://
. Each attribute in the URL path must be URL-encoded. Each URL attribute in the path is case-sensitive.
After Encoding
After you encode the URL path, it should appear as follows:
-
Using Secret ARN:
secrets://azure-key-vault/https%3A%2F%2Fjubileecpkeyvault.vault.azure.net%2Fkeys%2FHarshalFirstKey/value
The following is an explanation of the attributes of this URL:
-
Azure-key-vault
– Configured Credential Provider on ISC. -
https%3A%2F%2Fjubileecpkeyvault.vault.azure.net%2Fkeys%2FHarshalFirstKey
– Secret Identifier of the secret. -
value
– The name of the secret which needs to be fetched from the JSON response.
Use urlencoder.org to encode your URL attributes.

If any secret paths have a prefix or a suffix, you must append a query parameter to the secret path as follows:
-
To add a prefix –
?prefix=<prefix>
For example, if the secret value returned after evaluation is
LocalAdmin
, but the complete value required by the secret field isDomainOne\LocalAdmin
then the secret path expression will be as follows to add the required prefix:secrets://azure-key-vault/https%3A%2F%2Fjubileecpkeyvault.vault.azure.net%2Fkeys%2FHarshalFirstKey/value?prefix=DomainOne%5C
-
To add a suffix –
?suffix=<suffix>
For example, if the secret value returned after evaluation is
localadministrator
, but the complete value required by the secret field islocaladminstrator@sp.com
then the secret path expression will be as follows to add the required suffix:secrets://azure-key-vault/https%3A%2F%2Fjubileecpkeyvault.vault.azure.net%2Fkeys%2FHarshalFirstKey/value?suffix=%40sp.com
-
To add a prefix and suffix –
?prefix=<prefix>&suffix=<suffix>
For example, if the secret value returned after evaluation is
LocalAdmin
, but the complete value required by the secret field isDomainOne\LocalAdmin@sp.com
then the secret path expression will be as follows to add the required prefix and suffix:secrets://azure-key-vault/https%3A%2F%2Fjubileecpkeyvault.vault.azure.net%2Fkeys%2FHarshalFirstKey/value?prefix=DomainOne%5C&suffix=%40sp.com
Important
All input parameters must be encoded.
Standard format for credential path
secrets://{credentialpprovider-source}/{secretidentifier}/{secretKey}?prefix=someValue&suffix=someValue2
Important
Prefix and Suffix are optional.