Skip to content

Azure Key Vault

chezmoi includes support for Azure Key Vault secrets.

A default Azure Key Vault name can be set in ~/.config/chezmoi/chezmoi.$FORMAT with azureKeyVault.defaultVault.

Ensure Azure CLI is installed and log in. The logged in user must have the Key Vault Secrets User RBAC role on the Azure Key Vault resource.

Alternatively, use alternate authentication options.

~/.config/chezmoi/chezmoi.toml
[azureKeyVault]
    defaultVault = "contoso-vault2"
~/.config/chezmoi/chezmoi.yaml
azureKeyVault:
  defaultVault: contoso-vault2
~/.config/chezmoi/chezmoi.json
{
    "azureKeyVault": {
        "defaultVault": "contoso-vault2"
    }
}

A secret value can be retrieved with the azureKeyVault template function.

Retrieve the secret my-secret-name from the default configured vault.

exampleSecret = {{ azureKeyVault "my-secret-name" }}

Retrieve the secret my-secret-name from the vault named contoso-vault2.

exampleSecret = {{ azureKeyVault "my-secret-name" "contoso-vault2" }}

It is also possible to define an alias in the configuration file for an additional vault.

~/.config/chezmoi/chezmoi.toml
[data]
    vault42 = "contoso-vault42"
[azureKeyVault]
    defaultVault = "contoso-vault2"
~/.config/chezmoi/chezmoi.yaml
data:
  vault42: contoso-vault42
azureKeyVault:
  defaultVault: contoso-vault2
~/.config/chezmoi/chezmoi.json
{
    "data": {
        "vault42": "contoso-vault42"
    },
    "azureKeyVault": {
        "defaultVault": "contoso-vault2"
    }
}

Retrieve the secret my-secret-name from the vault named contoso-vault42 through the alias.

exampleSecret = {{ azureKeyVault "my-secret-name" .vault42 }}