# Setting up Azure Key Vault for project-level secrets management
WARNING
Switching to project-specific secrets management causes external secrets references scoped to the workspace level to stop working.
# Prerequisites
To complete the steps in this guide, you must have the following:
In Workato:
- An account with the Data Monitoring/Advanced Security & Compliance capability. For more information, contact your Workato Customer Success Manager.
In Microsoft Azure:
- An existing key vault (opens new window).
- A registered application with an appropriate role policy assigned:
- For key vaults using role-based access control (RBAC) (opens new window), the registered app must have the Key Vault Secrets User role.
- For key vaults using access policies (opens new window), the registered app must have the Get secret permission.
REGISTERING AN APPLICATION
To learn how to register an application, see Registering an application with Microsoft Entra ID.
# Step 1: Select the scope for secrets management
Sign in to your Workato account.
Navigate to Settings > Secrets management.
In Scope, select the option Set up secrets management for each project individually.
Set up secrets management for each project individually
If you have previously set up secrets management at the workspace level, Workato notifies you that previously configured external secret references scoped to the workspace level will stop working.
Remember that you must now set up secrets management in each project individually.
Select Save changes.
If you are switching secrets management scopes, Workato asks you to confirm switching from workspace-level secrets management to project-level.
Select Use project-specific secrets.
Use project-specific secrets
# Step 2: Select the project
In Workato, navigate to your projects.
Select the project that you plan to configure with secrets management.
In the project, navigate to Settings > Secrets management.
In the Which secrets manager do you want to use? field, select Azure Key Vault.
Secrets management interface of a project
Select Link your account.
In the Connect to Azure Key Vault modal, select + Create a new connection.
Create a new Azure Key Vault connection
# Step 3: Configure the following fields in Workato
Configure Azure Key Vault connection
- Connection name
- Name your Azure Key Vault connection.
- Vault URL
- Provide the URL of your key vault. Obtain this value by navigating to Azure portal > Key vaults (opens new window). Select the desired key vault and copy the Vault URI shown in the Overview. In our example, we connect to the vault URL
https://example.vault.azure.net/.
- Tenant ID
- Provide the ID of the tenant where your key vault and app registration are located. Azure refers to this as the Directory (tenant) ID. Obtain this value by navigating to Azure portal > App registrations (opens new window). Select your registered application and copy the Directory (tenant) ID shown in the Overview.
- Client ID
- Provide your client ID, which Azure refers to as the Application (client) ID. Obtain this value by navigating to Azure portal > App registrations (opens new window). Select your registered application and copy the Application (client) ID shown in the Overview.
- Client Secret
- Provide your client secret, which Azure refers to as the secret Value. Azure only displays this value when the secret is generated. If you need to generate a new secret, see Registering an application with Microsoft Entra ID, Step 2.
# Step 4: Connect and save changes
Select Connect. Workato displays the message Connected to your Azure Key Vault account!, along with the name of the Azure Key Vault connection:
Connection successful
Select Save changes. Workato displays the message Secrets management settings updated successfully.
FURTHER READING
Last updated: 11/5/2024, 6:04:00 PM