Ctrlk
dbt™ LLM evals OSSGet Started

Azure Key Vault

Azure Key Vault

Connect Azure Key Vault to Paradime so you can reference secrets by vault URI in your environment variables and connection profiles — without ever storing plaintext credentials in Paradime.

Prerequisites

  • An Azure subscription with at least one Key Vault.

  • An Azure AD app registration (service principal) with a client secret.

  • The service principal must have the Key Vault Secrets User role (or equivalent Get secret permission) on the vault(s) you want to reference.

Step 1 — Create a service principal

  1. In the Azure Portal, go to Azure Active Directory > App registrations and create a new registration.

  2. Under Certificates & secrets, create a new Client secret and copy the value.

  3. Note the Application (client) ID and Directory (tenant) ID from the app registration overview.

Step 2 — Grant vault access

  1. Open your Key Vault in the Azure Portal.

  2. Create a Key Vault, call it paradime, add resource group paradime-kv-resource, and choose the appropriate region

  3. Access configuration, choose Vault Access Policy, choose Create

  4. Select Get for both Key Management Operations, and Secret Management Operations

  5. Select the Service Principal from Step 1

  6. Click Review + Create

  7. Go to Access control (IAM) and add a role assignment.

  8. Assign the Key Vault Secrets User role to the service principal created in Step 1.

If your vault uses Access policies instead of Azure RBAC, add a policy granting the service principal Get permission on Secrets.

Step 3 — Connect in Paradime

  1. Navigate to Settings > Integrations.

  2. Find Azure Key Vault under the Secret Managers category and click Connect.

  3. Fill in the required fields:

Field
Description

Tenant ID

Your Azure AD directory (tenant) ID.

Client ID

The app registration's application (client) ID.

Client Secret

The client secret value created in Step 1.

Default Vault URL (optional)

A default vault URL (e.g. https://my-vault.vault.azure.net/). If set, you can omit the vault hostname from short-form references.

  1. Click Test connection to verify the credentials.

Step 4 — Reference secrets

Once connected, use Azure Key Vault URIs anywhere Paradime accepts environment variable values or connection profile fields.

Reference format

To pin a specific version:

Extracting a JSON key

If your secret value is a JSON object, append #key_name to extract a specific field:

Example — Bolt environment variable

Variable
Value

DB_PASSWORD

https://my-vault.vault.azure.net/secrets/prod-db-password

Paradime resolves the URI to the live secret value at schedule run time. The plaintext value is never stored in Paradime.

Disconnecting

To remove the Azure Key Vault integration:

  1. Navigate to Settings > Integrations.

  2. Click Disconnect on the Azure Key Vault card.

Any environment variables or profile fields that reference Azure Key Vault URIs will fail to resolve after disconnecting. Update them to use literal values before disconnecting.

Last updated

Was this helpful?