Azure KeyVault Configuration¶
The azkeyvault plugin integrates DRP with Microsoft Azure Key Vault as a secure parameter store.
Parameters that would otherwise hold plaintext credentials can instead reference secrets or
certificates stored in Key Vault using a URI-based lookup scheme.
Installation¶
The plugin requires drp-community-content version 4.8.0 or later.
Authentication Configuration¶
The plugin uses Azure credentials stored in the home directory of the user running the DRP endpoint service. Configure Azure CLI credentials on the DRP host before using this plugin:
For service principal authentication in production, configure the credentials via environment variables or an Azure managed identity available to the DRP process.
Plugin Parameters¶
| Parameter | Description | Default |
|---|---|---|
azkeyvault/cache-timeout |
Seconds to cache secrets in memory to reduce Key Vault API calls | 300 |
Set the cache timeout on the plugin object. Lowering the timeout increases freshness of retrieved secrets at the cost of more Key Vault API requests. For high-throughput environments, keep the default 300-second cache to avoid rate limiting.
Using Secrets in Parameters¶
Set the decrypt/lookup-uri on a machine parameter to reference an Azure Key Vault secret:
# Store an IPMI password reference (the secret value stays in Azure Key Vault)
drpcli machines set Name:my-server param ipmi/password to \
'{ "LookupUri": "azkeyvault://my-key-vault?secret=ipmi-password-json&format=json" }'
# Retrieve and decrypt the secret
drpcli machines get Name:my-server param ipmi/password --decode
The URI format is:
<vault-hostname>— The name of the Azure Key Vault (the hostname prefix before.vault.azure.net).secret=<name>— The name of the secret or certificate in Key Vault.format=json— Parse the returned value as JSON (optional; omit for plain string).type=cert— Retrieve a certificate instead of a secret (format is ignored; a string is returned).
All communication uses HTTPS.
Certificate Management¶
To retrieve a certificate from Key Vault instead of a secret, set type=cert in the URI:
drpcli machines set Name:my-server param some/cert to \
'{ "LookupUri": "azkeyvault://my-key-vault?secret=my-cert&type=cert" }'
The certificate is returned as a PEM-encoded string.
Template Expansion¶
The URI supports DRP parameter template expansion, enabling machine-specific lookups:
Troubleshooting¶
Enable verbose plugin logging to diagnose connectivity issues:
Reset to the default log level after troubleshooting.