Back to Blog
AzureTerraformIaCSecurityDevOpsTutorial

Securing Secrets with Azure Key Vault and Terraform

Complete tutorial about azurerm_key_vault in Terraform. Learn key vault, secrets, access policies, RBAC.

Daniel Urbano
October 20, 2025
10 min read
Securing Secrets with Azure Key Vault and Terraform

Securing Secrets with Azure Key Vault and Terraform

Introduction

Azure Key Vault is a cloud service that provides a secure store for secrets, such as keys, passwords, and certificates. By utilizing Azure Key Vault, organizations can manage sensitive information in a centralized and secure manner, ensuring that only authorized applications and users have access to critical data. Infrastructure as Code (IaC), particularly with tools like Terraform, allows for the automated deployment and management of Azure resources, including Key Vault. This approach not only enhances efficiency but also minimizes human error and promotes consistency across environments.

In this tutorial, we will explore how to create and manage an Azure Key Vault using Terraform. We will cover essential aspects such as secrets management, access policies, and Role-Based Access Control (RBAC). By the end of this tutorial, you will have a comprehensive understanding of how to secure your secrets with Azure Key Vault and Terraform. 🚀

Prerequisites

Before you begin, ensure you have the following:

  1. Terraform CLI: Install Terraform on your local machine or use Azure Cloud Shell.
  2. Azure Subscription: If you don't have an Azure subscription, create a free account here.
  3. Azure CLI: Install and configure the Azure CLI to manage Azure resources.
  4. Service Principal: Create a service principal for Terraform to authenticate with Azure.

Fundamental Concepts

Key Terminology

  • Azure Key Vault: A secure storage service for secrets, keys, and certificates.
  • Secrets: Sensitive information such as passwords or API keys stored in Key Vault.
  • Access Policies: Rules that define who can access the Key Vault and what actions they can perform.
  • RBAC (Role-Based Access Control): A method for managing access to Azure resources based on user roles.

Resource Dependencies

When creating a Key Vault, you may need to create dependencies like resource groups or networking components (e.g., virtual networks) to secure access to the Key Vault.

State Management

Terraform maintains a state file that maps your configuration to the actual resources in Azure. This state file is critical for managing updates and ensuring that your infrastructure matches your configuration.

Resource Syntax

The primary resource we will use in this tutorial is azurerm_key_vault. Below is the HCL syntax for creating a Key Vault, along with a table of its key arguments.

resource "azurerm_key_vault" "example" {
  name                = var.key_vault_name
  location            = var.location
  resource_group_name = azurerm_resource_group.example.name
  sku_name            = "standard"
  tenant_id          = data.azurerm_client_config.example.tenant_id
  soft_delete_retention_days = 7
  enable_purge_protection = true
}
Argument Description
name The name of the Key Vault. Must be globally unique.
location The Azure region where the Key Vault will be created.
resource_group_name The name of the resource group in which to create the vault.
sku_name The SKU of the Key Vault (e.g., standard, premium).
tenant_id The tenant ID of the Azure Active Directory.
soft_delete_retention_days The retention period for soft-deleted vaults.
enable_purge_protection Enables purge protection for the Key Vault.

Practical Examples

1. Create a Resource Group

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "East US"
}

2. Create the Key Vault

resource "azurerm_key_vault" "example" {
  name                = "myuniquekeyvault"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  sku_name            = "standard"
  tenant_id          = data.azurerm_client_config.example.tenant_id
  soft_delete_retention_days = 7
  enable_purge_protection = true
}

3. Create a Secret

resource "azurerm_key_vault_secret" "example" {
  name         = "mysecret"
  value        = "SuperSecretValue!"
  key_vault_id = azurerm_key_vault.example.id
}

4. Create an Access Policy

resource "azurerm_key_vault_access_policy" "example" {
  key_vault_id = azurerm_key_vault.example.id
  tenant_id    = data.azurerm_client_config.example.tenant_id
  object_id    = var.user_object_id

  secret_permissions = [
    "get",
    "list",
    "set",
    "delete",
  ]
}

5. Use RBAC for Access Control

resource "azurerm_role_assignment" "example" {
  scope                = azurerm_key_vault.example.id
  role_definition_name = "Key Vault Secrets Officer"
  principal_id        = var.user_object_id
}

6. Output Key Vault Information

output "key_vault_uri" {
  value = azurerm_key_vault.example.vault_uri
}

7. Clean Up Resources

terraform plan -destroy -out main.destroy.tfplan
terraform apply main.destroy.tfplan

8. Verify the Secret

You can verify the secret using Azure CLI:

az keyvault secret show --name mysecret --vault-name myuniquekeyvault

Real-World Use Cases

1. Application Configuration Management

Securely store application secrets like database connection strings and API keys to ensure that sensitive information is not hard-coded in applications.

2. Certificate Management

Use Azure Key Vault to manage SSL/TLS certificates for web applications, automating the renewal and deployment process.

3. Secure Storage for DevOps Pipelines

Integrate Azure Key Vault with CI/CD pipelines to securely retrieve secrets during deployment, ensuring that sensitive information is kept secure.

Best Practices

  1. Use RBAC over Access Policies: Prefer Azure RBAC for managing access to Key Vault instead of legacy access policies. This provides a more secure and centralized access management system. ⚠️
  2. Enable Soft Delete and Purge Protection: Always enable soft delete and purge protection to recover deleted secrets. 🔧
  3. Limit Access: Apply the principle of least privilege by granting only the necessary permissions to users and applications.
  4. Monitor Key Vault Activity: Enable logging and monitoring for Key Vault to track access and changes to secrets, keys, and certificates.
  5. Use Managed Identities: Implement Azure Managed Identities for applications to eliminate the need for hard-coded credentials.

Common Errors

  1. Error: "Key Vault name is not unique"

    • Cause: The specified Key Vault name already exists.
    • Solution: Change the Key Vault name to something unique.

  2. Error: "Insufficient permissions to perform the operation"

    • Cause: The user or service principal does not have the required permissions.
    • Solution: Ensure that the correct RBAC roles are assigned.

  3. Error: "The Key Vault is in a soft-delete state"

    • Cause: The Key Vault is in a soft-delete state.
    • Solution: Restore the Key Vault or permanently delete it if you want to create a new one.

  4. Error: "Invalid Key Vault URI"

    • Cause: The Key Vault URI is incorrectly formatted or does not exist.
    • Solution: Verify the Key Vault URI in your configuration.

Related Resources

Resource Type Resource Name Documentation Link
Terraform azurerm_key_vault Terraform Registry
Azure Azure Key Vault Overview Microsoft Docs
Terraform azurerm_key_vault_secret Terraform Registry
Azure Azure RBAC for Key Vault Microsoft Docs

Complete Infrastructure Script

Here’s a complete Terraform configuration to set up an Azure Key Vault with a secret and RBAC:

provider "azurerm" {
  features {}
}

data "azurerm_client_config" "example" {}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "East US"
}

resource "azurerm_key_vault" "example" {
  name                = "myuniquekeyvault"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  sku_name            = "standard"
  tenant_id          = data.azurerm_client_config.example.tenant_id
  soft_delete_retention_days = 7
  enable_purge_protection = true
}

resource "azurerm_key_vault_secret" "example" {
  name         = "mysecret"
  value        = "SuperSecretValue!"
  key_vault_id = azurerm_key_vault.example.id
}

resource "azurerm_role_assignment" "example" {
  scope                = azurerm_key_vault.example.id
  role_definition_name = "Key Vault Secrets Officer"
  principal_id        = var.user_object_id
}

output "key_vault_uri" {
  value = azurerm_key_vault.example.vault_uri
}

Conclusion

In this tutorial, we explored how to secure secrets using Azure Key Vault and Terraform. We covered the creation of a Key Vault, the management of secrets, and the implementation of access control using RBAC. By following best practices, you can ensure that your sensitive information remains secure and accessible only to authorized users and applications.

As a next step, consider integrating Azure Key Vault with your applications and CI/CD pipelines to enhance security further. 💡

References

This concludes our tutorial on securing secrets with Azure Key Vault and Terraform. Happy coding! 🔑