Azure Key Vault

Vegha can resolve secrets directly from Azure Key Vault. Once a provider is configured, reference any Key Vault secret with the secret:// URI scheme and Vegha fetches it at send time.

Configuring the provider

Add an Azure Key Vault provider in Vegha’s secret-manager settings. You supply the vault to connect to and choose how Vegha authenticates.

Authentication modes

Vegha supports two authentication modes for Key Vault:

Mode	What you provide
Entra ID service principal	Tenant ID, client ID, client secret
Azure CLI / managed identity	Nothing — the ambient Azure credential chain is used

Entra ID service principal — register an app in Entra ID and supply its tenant ID, client ID, and client secret. Use this for explicit, scoped credentials.
Azure CLI / managed identity — Vegha uses the ambient Azure credential chain, which picks up an az login session or a managed identity when running on Azure infrastructure. No credentials are entered into Vegha.

Permissions

The identity Vegha authenticates as needs read access to Key Vault secrets — the Get secret permission (for example, the Key Vault Secrets User role under RBAC, or a corresponding access policy). No write or management permissions are required.

The secret:// URI shape

Reference a Key Vault secret with:

secret://<provider>/<secret-name>

<provider> is the name you gave the configured Azure Key Vault provider
<secret-name> is the name of the secret in the vault

If the secret’s value is structured (for example JSON), append #field to select one field:

secret://<provider>/db-credentials#password

Using it in a request

Place the secret:// reference anywhere a variable is allowed — a header, the URL, the body, or an auth field. For example, as a bearer token:

Authorization: Bearer {{secret://azure-prod/api-token}}

At send time Vegha contacts Key Vault, retrieves the value, and uses it for that request only.