# Configuring Microsoft Azure Key Vault For On-Prem Agent

In this guide, we'll show you how to use Microsoft Azure Key Vault (opens new window) with Workato's On-Prem Agent (OPA) to store database credentials.

Note: We're focusing on using secrets to encrypt passwords in this tutorial, but secrets can be used to encrypt any connection value. This includes usernames, database names, and so on.


# Prerequisites

To configure Azure Key Vault to work with OPA, you'll need:


# Step 1: Create The Secret In Azure

3

Open the key vault where you want to create the secret. In this example, the vault is WorkatoSDKeyVault.

4

In the left navigation pane, click Settings > Secrets.

5

On the Secrets page, click + Generate/Import:

The + Generate/Import option in the Azure portal

6

In the Create a secret window that displays, fill in the following:

  • Upload options: Select Manual

  • Name: Enter a name for the secret. For example: sales-db-password

    This name will be used as the password in the OPA config file to retrieve the secret and its value.

  • Value: Enter the value for the secret. This should be an actual password.

  • Enabled: If it isn't already, set this field to Yes

The window should look similar to the following:

Fully configured Create a secret window in the Azure portal

7

When finished, click Create.


# Step 2: Configure The OPA Config File

In this step, you'll add info about the key vault you created to your OPA configuration file.

1

In your OPA config file, add a secrets section with provider and vault keys:

secrets:
  provider: azure
  vault: <VAULT_NAME>
2

For provider, enter azure.

3

Next, you'll define the vault. Workato supports the ability to specify multiple vaults in an OPA config file:

  • To define a default vault, enter the name of a vault for vault. If provided, the vault will be used for all secrets defined in the config file.

    In the following example, we've enter the name of the vault from Step 1. In our case, this is WorkatoSDKeyVault:

    secrets:
      provider: azure
      vault: WorkatoSDKeyVault
    
  • To override the default or define a vault at the secret level, use { secret: '<SECRET_NAME>', vault: '<VAULT>'} in the database's connection profile. Refer to the next section for an example.

4

Save the file.


# Step 3: Configure The Database Profile

To wrap things up, you'll specify which secret to use in the database's profile.

1

In the config file, navigate to the database's profile.

2

To use the default vault, use { secret: '<SECRET_NAME>' } in the password key to specify the secret. The <SECRET_NAME> must match the name of the secret you created in Step 1:

database:
  sales_database:
    adapter: sqlserver
    host: localhost
    port: 1433
    database: test
    username: sales_user
    password: { secret: 'sales-db-password-password' }

If using a vault other than the default, use { secret: '<SECRET_NAME>', vault: '<VAULT>' } in the password key to provide an override:

database:
  sales_database:
    adapter: sqlserver
    host: localhost
    port: 1433
    database: test
    username: sales_user
    password: { secret: 'sales-db-password-password', vault: 'other-vault' }
3

Save the file.