# Azure Key Vault

{% hint style="info" %}
The following documentation is for **Azure Key Vault v1.3.4** *(BDK)*.
{% endhint %}

## Overview

Azure Key Vault securely stores and manages cryptographic keys, secrets, and certificates in the cloud. This integration enables automated secret management, key rotation, and secure credential workflows. Strengthen security posture and automate sensitive data protection in Azure environments.

## Prerequisites

### 1. Required Books

The following Book(s) need to be added to your agent so it can learn and understand the automation procedures defined within them:

* **Azure Key Vault**

#### How to Add the Book(s)

1. Go to **Books** → **All Books**.
2. Search for the name of the book and click on it.
3. Click on <kbd>**Install**</kbd> or <kbd>**Add Connection**</kbd> to add the book to your agent.
4. If adding a connection, you'll be prompted for [**connectivity**](#connectivity) details.

## Connectivity

This section outlines the available methods for connecting to the Book, along with the required configuration details for each.

### Connect using Azure tenant ID, Azure client ID, Azure client secret and Azure subscription ID

Connect to Microsoft Graph API using client credentials.

| Label                 | Description                 | Type        |
| --------------------- | --------------------------- | ----------- |
| Azure tenant ID       | The Azure tenant ID         | `text`      |
| Azure client ID       | The client (application) ID | `text`      |
| Azure client secret   | The client secret           | `sensitive` |
| Azure subscription ID | The Azure subscription ID   | `text`      |

## Procedures

### to get (key vaults)

![FILTER - CAPABLE](https://img.shields.io/static/v1?label=FILTER\&message=CAPABLE\&color=blue)

Get all Key Vaults accessible to the authenticated principal.

**Output Concepts**

| Concept                                    | Description                                                                        | Type                        |
| ------------------------------------------ | ---------------------------------------------------------------------------------- | --------------------------- |
| [`key vaults`](#azure-key-vault-reference) | A list of Azure Key Vault references matching the filter expression (if provided). | `azure key vault reference` |

**Examples**

Get all the key vaults in an Azure subscription

```generic
get some key vaults
```

Get a specific key vault in an Azure subscription

```generic
get a key vault whose name is "bdk-test-keyvault"
```

### to get a (secret) from a key vault

Get a secret from a Key Vault.

**Input Concepts**

| Concept                                   | Description                                            | Type                        | Required | Default Value |
| ----------------------------------------- | ------------------------------------------------------ | --------------------------- | -------- | ------------- |
| [`key vault`](#azure-key-vault-reference) | The Key Vault from which to retrieve the secret.       | `azure key vault reference` | Yes      | (no default)  |
| `secret name`                             | The name of the secret to retrieve from the Key Vault. | `text`                      | Yes      | (no default)  |

**Output Concepts**

| Concept  | Description                  | Type   |
| -------- | ---------------------------- | ------ |
| `secret` | The retrieved secret's value | `text` |

**Examples**

Get a secret from a Key Vault

```generic
get a key vault whose name is "bdk-test-keyvault"
get a secret from the key vault with
    the secret name is "api-key"
```

### to list (secrets) in a key vault

Get all secrets in a Key Vault.

**Input Concepts**

| Concept                                   | Description                               | Type                        | Required | Default Value |
| ----------------------------------------- | ----------------------------------------- | --------------------------- | -------- | ------------- |
| [`key vault`](#azure-key-vault-reference) | The Key Vault from which to list secrets. | `azure key vault reference` | Yes      | (no default)  |

**Output Concepts**

| Concept   | Description            | Type   |
| --------- | ---------------------- | ------ |
| `secrets` | A list of secret names | `text` |

**Examples**

List all secrets in a Key Vault

```generic
get a key vault whose name is "bdk-test-keyvault"
list secrets in the key vault
```

## Concepts

### Azure key vault reference

Represents a reference to an Azure Key Vault.

| Field Name        | Description                                      | Type             |
| ----------------- | ------------------------------------------------ | ---------------- |
| `id`              | The ID of the key vault.                         | `text`           |
| `name`            | The name of the key vault.                       | `text`           |
| `url`             | The URL of the key vault.                        | `text`           |
| `location`        | The Azure region where the key vault is located. | `optional[text]` |
| `resource_group`  | The resource group containing the key vault.     | `optional[text]` |
| `subscription_id` | The subscription ID containing the key vault.    | `optional[text]` |