Using Azure Key Vault secrets in connections

This guide demonstrates how to use secrets from your Azure Key Vault (opens new window) to configure Workato connections.

Prerequisites

To complete the steps in this guide, you must have the following:

• In Workato:

  • An account with a successful workspace-level or project-level Azure Key Vault connection.
  • A user role with Create and Edit Connections privileges.

• In Microsoft Azure:

  • Permissions allowing you to create Azure Key Vault secrets.

Step 1: Add a secret to Azure Key Vault

1

Sign in to the Azure portal and navigate to Key vaults > {key vault name} > Secrets.

2

Select +Generate/Import.

3

Set Upload options to Manual on the Create a secret page.

Create a secret in Azure Key Vault

4

Enter a name for your secret that will help you remember what application it is for, such as airtable-api.

5

Enter the secret value. This is typically a password, API key, or other sensitive information.

6

Optionally, set the Content type, Activation date, and/or Expiration date.

7

Ensure the Enabled toggle is set to Yes.

8

Select Create.

Step 2: Configure a Workato connection

1

Create a new connection or open the configuration page for an existing connection in your Workato account.

2

Click the corresponding input field for connection parameters referencing an external secret. The Add external secret option appears.

3

Select Add external secret to open the Add external secret popup.

4

Enter the Secret name in the Add external secret popup.

Add external secret

5

Select Done. The secret appears as a masked datapill in the input field on the connection page.

Select the datapill to edit the secret.

6

Click Connect and verify that this connection works.

If you prefer to add the secret with a secret mask, use the following syntax for Workato connection credentials. Replace <secret_name> with the actual name of the secret you plan to use in Azure Key Vault:

{{workato:sm:<secret_name>}}

In the following example, the secret name is airtable-api:

{{workato:sm:airtable-api}}

Paste the entire value into the appropriate field on the connection's configuration page.

Step 3: Complete your connection setup

Click Connect and verify that this connection is working.

Troubleshooting

Error message	How to fix it
The secret was not found in this key vault.	Ensure that your secret exists and you are connected to the right Azure Key Vault instance.
The secret {{secret name}} has been disabled. Please ensure that it is enabled before re-trying.	Ensure that your secret is set to Enabled.
Caller is not authorized to perform action on resource.	Ensure that your Azure Active Directory app has the sufficient role or access policy and that your client secret is still valid.
Public network access to your Azure Key Vault is disabled.	Ensure that public access to your key vault (opens new window) is enabled.
Client address is not authorized and caller is not a trusted service.	Ensure that your network IP address has been added to your key vault's allowlist (opens new window).
Secret is expired.	Create a new secret version with a valid expiration date.
Secret is not activated.	Ensure that your secret's activation date is before the current date.
Failed to fetch secret from your vault.	Ensure that your secret exists in your vault. Ensure that your secret follows the format {{workato:sm:<secret_name>}}. Different secrets managers require different secret formats, so you may encounter this error if your secret is formatted for another secrets manager.