# Azure Key Vault

## Azure Key Vault

Connect Azure Key Vault to Paradime so you can reference secrets by vault URI in your environment variables and connection profiles — without ever storing plaintext credentials in Paradime.

### Prerequisites

* An Azure subscription with at least one Key Vault.
* An Azure AD app registration (service principal) with a client secret.
* The service principal must have the **Key Vault Secrets User** role (or equivalent `Get` secret permission) on the vault(s) you want to reference.

### Step 1 — Create a service principal

1. In the **Azure Portal**, go to **Azure Active Directory > App registrations** and create a new registration.
2. Under **Certificates & secrets**, create a new **Client secret** and copy the value.
3. Note the **Application (client) ID** and **Directory (tenant) ID** from the app registration overview.

### Step 2 — Grant vault access

1. Open your **Key Vault** in the Azure Portal.
2. **Create a Key Vault**, call it `paradime`, add resource group `paradime-kv-resource`, and choose the appropriate region
3. Access configuration, choose **Vault Access Policy**, choose **Create**
4. Select **Get** for both Key Management Operations, and Secret Management Operations
5. Select the Service Principal from Step 1
6. Click **Review + Create**
7. Go to **Access control (IAM)** and add a role assignment.
8. Assign the **Key Vault Secrets User** role to the service principal created in Step 1.

{% hint style="info" %}
If your vault uses **Access policies** instead of Azure RBAC, add a policy granting the service principal `Get` permission on **Secrets**.
{% endhint %}

### Step 3 — Connect in Paradime

1. Navigate to **Settings > Integrations**.
2. Find **Azure Key Vault** under the **Secret Managers** category and click **Connect**.
3. Fill in the required fields:

| Field                              | Description                                                                                                                         |
| ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| **Tenant ID**                      | Your Azure AD directory (tenant) ID.                                                                                                |
| **Client ID**                      | The app registration's application (client) ID.                                                                                     |
| **Client Secret**                  | The client secret value created in Step 1.                                                                                          |
| **Default Vault URL** *(optional)* | A default vault URL (e.g. `https://my-vault.vault.azure.net/`). If set, you can omit the vault hostname from short-form references. |

4. Click **Test connection** to verify the credentials.

### Step 4 — Reference secrets

Once connected, use Azure Key Vault URIs anywhere Paradime accepts environment variable values or connection profile fields.

#### Reference format

```
https://<vault-name>.vault.azure.net/secrets/<secret-name>
```

To pin a specific version:

```
https://<vault-name>.vault.azure.net/secrets/<secret-name>/<version-id>
```

#### Extracting a JSON key

If your secret value is a JSON object, append `#key_name` to extract a specific field:

```
https://my-vault.vault.azure.net/secrets/prod-db-creds#password
```

#### Example — Bolt environment variable

| Variable      | Value                                                       |
| ------------- | ----------------------------------------------------------- |
| `DB_PASSWORD` | `https://my-vault.vault.azure.net/secrets/prod-db-password` |

Paradime resolves the URI to the live secret value at schedule run time. The plaintext value is never stored in Paradime.

### Disconnecting

To remove the Azure Key Vault integration:

1. Navigate to **Settings > Integrations**.
2. Click **Disconnect** on the Azure Key Vault card.

{% hint style="warning" %}
Any environment variables or profile fields that reference Azure Key Vault URIs will fail to resolve after disconnecting. Update them to use literal values before disconnecting.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.paradime.io/app-help/integrations/azure-key-vault.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.