Set up Azure Key Vault for workspace-level secrets management

WARNING

Switching to workspace-specific secrets management causes external secrets references scoped to the project level to stop working.

Prerequisites

To complete the steps in this guide, you must have the following:

• In Workato:

  • An account with the Data Monitoring/Advanced Security & Compliance capability. For more information, contact your Workato Customer Success Manager.

• In Microsoft Azure:

  • An existing key vault (opens new window).
  • A registered application with an appropriate role policy assigned:
    • For key vaults using role-based access control (RBAC) (opens new window), the registered app must have the Key Vault Secrets User role.
    • For key vaults using access policies (opens new window), the registered app must have the Get secret permission.

REGISTERING AN APPLICATION

To learn how to register an application, see Registering an application with Microsoft Entra ID.

Select the scope for secrets management

1

Sign in to Workato.

2

Go to Workspace admin > Settings > External secrets manager.

3

Select the Set up secrets for the entire workspace option from the Scope drop-down menu.

Set up secrets for the entire workspace

Select the secrets manager

1

In the Which secrets manager do you want to use? field, select Azure Key Vault.

Secrets management interface of a workspace

2

Click Set up connection.

3

In the Connect to Azure Key Vault modal, select + Create a new connection.

Create a new Azure Key Vault connection

Connect to Azure Key Vault

Configure Azure Key Vault connection

1

• Connection name
• Name your Azure Key Vault connection.

2

• Vault URL
• Provide the URL of your key vault. Obtain this value by navigating to Azure portal > Key vaults (opens new window). Select the desired key vault and copy the Vault URI shown in the Overview. In our example, we connect to the vault URL https://example.vault.azure.net/.

3

• Tenant ID
• Provide the ID of the tenant where your key vault and app registration are located. Azure refers to this as the Directory (tenant) ID. Obtain this value by navigating to Azure portal > App registrations (opens new window). Select your registered application and copy the Directory (tenant) ID shown in the Overview.

4

• Client ID
• Provide your client ID, which Azure refers to as the Application (client) ID. Obtain this value by navigating to Azure portal > App registrations (opens new window). Select your registered application and copy the Application (client) ID shown in the Overview.

5

• Client Secret
• Provide your client secret, which Azure refers to as the secret Value. Azure only displays this value when the secret is generated. If you need to generate a new secret, see Registering an application with Microsoft Entra ID, Step 2.

6

Click Connect. Workato displays the name of the Azure Key Vault connection:

Connection successful

7

Click Save.

8

If you switch secrets management scopes, Workato notifies you that existing external secret references scoped to the project level will no longer function.

To proceed with switching from project-level to workspace-level secrets management, select the checkbox to acknowledge the impact and click Use workspace-level secrets.

Use workspace-level secrets

FURTHER READING

• Using Azure Key Vault secrets to authenticate to connections