Azure Key Vault Secrets

Azure Key Vault stores and manages secrets, such as passwords and database connection strings. TIBCO Flogo® Enterprise retrieves values for Flogo app properties from Azure Key Vault Secrets and overrides them at runtime.

Integrating Azure Key Vault

To integrate the Flogo app with Azure Key Vault, set the following environment variables for your application:

  • FLOGO_APP_PROPS_AZURE_KEYVAULT: Set to true to enable Azure Key Vault integration.

  • FLOGO_AZURE_KEYVAULT_NAME: Specify the name of your Azure Key Vault.

Authentication Methods

Flogo supports the following authentication methods for accessing Azure Key Vault:

  • Service Principal with Secret

  • Managed Identities for Azure Resources

To configure Azure Key Vault credential management, set the following environment variables at runtime based on your authentication method.

For Service Principal with Secret
Variable Description
FLOGO_APP_PROPS_AZURE_KEYVAULT Set this to true to integrate the Flogo app with Azure Key Vault.
FLOGO_AZURE_KEYVAULT_NAME Specify the Azure Key Vault name.
AZURE_TENANT_ID The Microsoft Entra tenant (directory) ID.
AZURE_CLIENT_ID The client (application) ID of an App Registration in the tenant.
AZURE_CLIENT_SECRET The client secret generated for the App Registration.
For Managed Identities for Azure Resources
Variable Description
FLOGO_APP_PROPS_AZURE_KEYVAULT Set this to true to integrate the Flogo app with Azure Key Vault.
FLOGO_AZURE_KEYVAULT_NAME Specify the Azure Key Vault name.
Note:

  • The Flogo app always fetches the current Azure Key Vault Secret version.

  • The identity used by your application must have at least the Key Vault Secrets User role to retrieve secrets from Azure Key Vault.

  • If Azure Key Vault uses access policies to manage permissions, then the identity used by your application must have at least Get Secret permissions. It is required to retrieve secrets from Azure Key Vault.

Setting Azure Key Vault Secrets

To override the app property values, create a key-value pair for each property in Azure Key Vault Secrets. You can create standalone properties or organize them in a hierarchy.

  • For a standalone property, use the property name as the secret name in Azure Key Vault. If the property name contains an underscore (_), it is replaced with a hyphen (-).

    For example, if the app property name is Property_1, then the secret lookup is done with name Property-1 in Azure Key Vault.

  • For hierarchical properties, if the property name contains an end period (.) or an underscore (_), these are replaced with a hyphen (-).

    For example, if the app property name is Group_1.Group_2.Property_1, then the secret lookup is done with name Group-1-Group-2-Property-1 in Azure Key Vault.

Warning: The secret name in Azure Key Vault must exactly match the property name in the Flogo Application Properties dialog (after replacing underscores and end periods with hyphens). If the names do not match or if the secret is disabled, the Flogo application displays a warning and uses the default property value.