# Setting up Azure Key Vault for workspace-level secrets management
WARNING
Switching to workspace-specific secrets management causes external secrets references scoped to the project level to stop working.
# Prerequisites
To complete the steps in this guide, you must have the following:
In Workato:
- An account with the Data Monitoring/Advanced Security & Compliance capability. For more information, contact your Workato Customer Success Manager.
In Microsoft Azure:
- An existing key vault (opens new window).
- A registered application with an appropriate role policy assigned:
- For key vaults using role-based access control (RBAC) (opens new window), the registered app must have the Key Vault Secrets User role.
- For key vaults using access policies (opens new window), the registered app must have the Get secret permission.
REGISTERING AN APPLICATION
To learn how to register an application, see Registering an application with Microsoft Entra ID.
# Step 1: Select the scope for secrets management
Sign in to your Workato account.
Navigate to Settings > Secrets management.
In Scope, select the option Set up secrets management for the entire workspace.
Set up secrets management for the entire workspace
# Step 2: Select the secrets manager
Continuing from the previous step, in the field Which secrets manager do you want to use?, select Azure Key Vault.
Secrets management interface of a workspace
Select Link your account.
In the Connect to Azure Key Vault modal, select + Create a new connection.
Create a new Azure Key Vault connection
# Step 3: Configure the following fields in Workato
Configure Azure Key Vault connection
- Connection name
- Name your Azure Key Vault connection.
- Vault URL
- Provide the URL of your key vault. Obtain this value by navigating to Azure portal > Key vaults (opens new window). Select the desired key vault and copy the Vault URI shown in the Overview. In our example, we connect to the vault URL
https://example.vault.azure.net/
.
- Tenant ID
- Provide the ID of the tenant where your key vault and app registration are located. Azure refers to this as the Directory (tenant) ID. Obtain this value by navigating to Azure portal > App registrations (opens new window). Select your registered application and copy the Directory (tenant) ID shown in the Overview.
- Client ID
- Provide your client ID, which Azure refers to as the Application (client) ID. Obtain this value by navigating to Azure portal > App registrations (opens new window). Select your registered application and copy the Application (client) ID shown in the Overview.
- Client Secret
- Provide your client secret, which Azure refers to as the secret Value. Azure only displays this value when the secret is generated. If you need to generate a new secret, see Registering an application with Microsoft Entra ID, Step 2.
# Step 4: Connect and save changes
Select Connect. Workato displays the message Connected to your Azure Key Vault account!, along with the name of the Azure Key Vault connection:
Connection successful
Select Save changes.
If you are switching secrets management scopes, Workato notifies you that previously configured external secret references scoped to the project level will stop working.
To confirm switching from project-level secrets management to workspace-level, select Use workspace-level secrets.
Use workspace-level secrets
Workato displays the message Using Azure Key Vault.
Successfully configured workspace-level Azure Key Vault
FURTHER READING
Last updated: 11/5/2024, 6:04:00 PM