»Azure Key Vault (API)

The Key Management secrets engine supports lifecycle management of keys in named Azure Key Vault instances. This is accomplished by configuring a KMS provider resource with the azurekeyvault provider and other provider-specific parameter values.

The following sections provide API documentation that is specific to Azure Key Vault.

»Create/Update KMS Provider

This endpoint creates or updates a KMS provider. If a KMS provider with the given name does not exist, it will be created. If the KMS provider exists, it will be updated with the given parameter values.



  • name (string: <required>) – Specifies the name of the KMS provider to create or update. This is provided as part of the request URL.

  • provider (string: <required>) – Specifies the name of a KMS provider that's external to Vault. Must be set to azurekeyvault. Cannot be changed after creation.

  • key_collection (string: <required>) – Refers to the name of an existing Azure Key Vault instance. Cannot be changed after creation.

  • credentials (map<string|string>: nil) – The credentials to use for authentication with Azure Key Vault. Supplying values for this parameter is optional, as credentials may also be specified as environment variables. Environment variables will take precedence over credentials provided via this parameter.

    • tenant_id (string: <required>) - The tenant ID for the Azure Active Directory organization. May also be specified by the AZURE_TENANT_ID environment variable.
    • client_id (string: <required or MSI>) - The client ID for credentials to invoke the Azure APIs. May also be specified by the AZURE_CLIENT_ID environment variable.
    • client_secret (string: <required or MSI>) - The client secret for credentials to invoke the Azure APIs. May also be specified by the AZURE_CLIENT_SECRET environment variable.
    • environment (string: "AzurePublicCloud") - The Azure Cloud environment API endpoints to use. May also be specified by the AZURE_ENVIRONMENT environment variable.