ContextQMD
Back to Infisical

Azure Key Vault

docs/documentation/platform/pki/certificate-syncs/azure-key-vault.mdx

0.159.258.2 KB
Original Source

Prerequisites:

  • Create an Azure Key Vault Connection
  • Ensure your network security policies allow incoming requests from Infisical to this certificate sync provider, if network restrictions apply.
<Note> The Azure Key Vault Certificate Sync requires the following certificate permissions to be set on the user / service principal for Infisical to sync certificates to Azure Key Vault: `certificates/list`, `certificates/get`, `certificates/import`, `certificates/delete`.

Any role with these permissions would work such as the Key Vault Certificates Officer role.

</Note> <Note> Certificates synced to Azure Key Vault will be stored as certificate objects, preserving both the certificate and private key components. </Note> <Tabs> <Tab title="Infisical UI"> 1. Navigate to **Project** > **Integrations** > **Certificate Syncs** and press **Add Sync**. ![Certificate Syncs Tab](/images/platform/pki/certificate-syncs/general/create-certificate-sync.png) 
    2. Select the **Azure Key Vault** option.
    ![Select Key Vault](/images/platform/pki/certificate-syncs/azure-key-vault/select-akv-option.png)

    3. Configure the **Destination** to where certificates should be deployed, then click **Next**.
    ![Configure Destination](/images/platform/pki/certificate-syncs/azure-key-vault/akv-destination.png)

        - **Azure Connection**: The Azure Connection to authenticate with.
        - **Vault Base URL**: The URL of your Azure Key Vault.

    4. Configure the **Sync Options** to specify how certificates should be synced, then click **Next**.
    ![Configure Options](/images/platform/pki/certificate-syncs/azure-key-vault/akv-options.png)

        - **Enable Removal of Expired/Revoked Certificates**: If enabled, Infisical will remove certificates from the destination if they are no longer active in Infisical.
        - **Enable Versioning on Renewal**: If enabled, Infisical will sync renewed certificates to the destination under a new version of the original synced certificate instead of creating a new certificate.
        - **Include Root CA**: If enabled, the Root CA certificate will be included in the certificate chain when syncing to Azure Key Vault. If disabled, only intermediate certificates will be included.
        - **Certificate Name Schema** (Optional): Customize how certificate names are generated in Azure Key Vault. Use `{{certificateId}}` as a placeholder for the certificate ID. If not specified, defaults to `Infisical-{{certificateId}}`.
        - **Auto-Sync Enabled**: If enabled, certificates will automatically be synced when changes occur. Disable to enforce manual syncing only.

    <Tip>
        **Azure Key Vault Soft Delete**: When certificates are removed from Azure Key Vault, they are placed in a soft-deleted state rather than being permanently deleted. This means:
        - Subsequent syncs will not re-add these soft-deleted certificates automatically
        - To resync removed certificates, you must either manually **purge** them from Azure Key Vault or **recover** them through the Azure portal/CLI
    </Tip>

    5. Configure the **Details** of your Azure Key Vault Certificate Sync, then click **Next**.
    ![Configure Details](/images/platform/pki/certificate-syncs/azure-key-vault/akv-details.png)

        - **Name**: The name of your sync. Must be slug-friendly.
        - **Description**: An optional description for your sync.

    6. Select which certificates should be synced to Azure Key Vault.
    ![Select Certificates](/images/platform/pki/certificate-syncs/azure-key-vault/akv-certificates.png)

    7. Review your Azure Key Vault Certificate Sync configuration, then click **Create Sync**.
    ![Confirm Configuration](/images/platform/pki/certificate-syncs/azure-key-vault/akv-review.png)

    8. If enabled, your Azure Key Vault Certificate Sync will begin syncing your certificates to the destination endpoint.
    ![Sync Certificates](/images/platform/pki/certificate-syncs/azure-key-vault/akv-synced.png)
</Tab>
<Tab title="API">
    To create an **Azure Key Vault Certificate Sync**, make an API request to the [Create Azure Key Vault Certificate Sync](/api-reference/endpoints/pki/syncs/azure-key-vault/create) API endpoint.

    ### Sample request

    <Note>
      You can optionally specify `certificateIds` during sync creation to immediately add certificates to the sync.
      If not provided, you can add certificates later using the certificate management endpoints.
    </Note>

    ```bash Request
    curl --request POST \
    --url https://app.infisical.com/api/v1/cert-manager/syncs/azure-key-vault \
    --header 'Authorization: Bearer <access-token>' \
    --header 'Content-Type: application/json' \
    --data '{
        "name": "my-key-vault-cert-sync",
        "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
        "description": "an example certificate sync",
        "connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
        "destination": "azure-key-vault",
        "isAutoSyncEnabled": true,
        "certificateIds": [
            "550e8400-e29b-41d4-a716-446655440000",
            "660f1234-e29b-41d4-a716-446655440001"
        ],
        "syncOptions": {
            "canRemoveCertificates": true,
            "enableVersioningOnRenewal": true,
            "includeRootCa": false,
            "certificateNameSchema": "myapp-{{certificateId}}"
        },
        "destinationConfig": {
            "vaultBaseUrl": "https://my-key-vault.vault.azure.net"
        }
    }'
    ```

    ### Sample response

    ```json Response
    {
        "pkiSync": {
            "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
            "name": "my-key-vault-cert-sync",
            "description": "an example certificate sync",
            "destination": "azure-key-vault",
            "isAutoSyncEnabled": true,
            "destinationConfig": {
                "vaultBaseUrl": "https://my-key-vault.vault.azure.net"
            },
            "syncOptions": {
                "canRemoveCertificates": true,
                "enableVersioningOnRenewal": true,
                "includeRootCa": false,
                "certificateNameSchema": "myapp-{{certificateId}}"
            },
            "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
            "connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
            "createdAt": "2023-01-01T00:00:00.000Z",
            "updatedAt": "2023-01-01T00:00:00.000Z"
        }
    }
    ```
</Tab>
</Tabs>

Certificate Management

The Azure Key Vault Certificate Sync provides:

  • Automatic Deployment: Deploy certificates in Infisical to Azure Key Vault.
  • Certificate Updates: Update certificates in Azure Key Vault when renewals occur.
  • Expiration Handling: Optionally remove expired certificates from Azure Key Vault (if enabled).
  • Format Preservation: Maintain certificate format and metadata during sync operations.
<Note> Azure Key Vault Certificate Syncs support both automatic and manual synchronization modes. When auto-sync is enabled, certificates are automatically deployed as they are issued or renewed. </Note>

Manual Certificate Sync

You can manually trigger certificate synchronization to Azure Key Vault using the sync certificates functionality. This is useful for:

  • Initial setup when you have existing certificates to deploy
  • One-time sync of specific certificates
  • Testing certificate sync configurations
  • Force sync after making changes

To manually sync certificates, use the Sync Certificates API endpoint or the manual sync option in the Infisical UI.

FAQ

<Accordion title="Can I import certificates from Azure Key Vault back into Infisical?"> Azure Key Vault does not support importing certificates back into Infisical due to security limitations where private keys cannot be extracted from Azure Key Vault. </Accordion>