> ## Documentation Index
> Fetch the complete documentation index at: https://docs.maia.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Azure Key Vault

export const s_runner = "Streaming runner";

export const m_runner = "Maia runner";

export const maia = "Maia";

[Azure Key Vault](https://learn.microsoft.com/en-us/azure/key-vault/general/basic-concepts) manages keys, secrets, and certificates in the Azure portal. Several functions in {maia} require access to these resources.

***

## Creating secrets in Azure Key Vault

1. Log in to your [Azure portal](https://portal.azure.com) account.
2. Browse to the **Key Vaults** service.
3. Click **Create** to open the **Create a key vault** page at the **Basics** tab.
4. Complete the following fields:
   * **Resource Group:** Select an existing resource group. We recommend you choose the same resource group that your {m_runner} will be launched in. To create a new resource group, read [Create resource groups](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal).
   * **Key vault name:** Give your new key vault a name.
   * **Region:** Select an Azure region.
   * **Pricing tier:** Select **Standard** or **Premium** pricing.
5. Click the **Access Policy** tab and review your permission model. **Vault Access Policy** is the default selection. If you want to select the **Azure role-based access control** instead, refer to [Assign an access policy](#assign-an-access-policy).
6. Click **Review + create**, and then click **Create**.
7. After a brief period, your key vault will be created. Under **Next steps**, click **Go to resource**.
8. The **Overview** tab will be displayed. Make a note of your **Vault URI**. You may need to use the Vault URI within {maia}—when you create a {m_runner}, for example.

To create and store a secret:

1. Click **Secrets** in the sidebar, then click **Generate/Import** at the top.

2. Enter the following secret details.

   * **Upload options:** Select **Manual**.
   * **Name:** Enter `agent-rsa`.
   * **Secret value:** Enter your secret key. See the note below on multi-line secrets.

   <Note>
     - Azure Key Vault strips newlines from secrets being added via the graphical user interface (GUI), which will prevent your multi-line secrets from working. Read [Store a multi-line secret in Azure Key Vault](https://learn.microsoft.com/en-us/azure/key-vault/secrets/multiline-secrets) to work around this issue.
     - The following CLI command will maintain newlines:

       ```
       az keyvault secret set --vault-name <vault-name> --name <secet-name> --file <key-file-name>
       ```
   </Note>

3. Leave the other fields blank, and click **Create**.

***

## Assign an access policy

Configure your access policy by selecting one of the following permission models:

* **Vault Access Policy**: The default permission model that determines whether a security principle, such as a user, application, or user group, can perform different operations on keys, secrets, and certificates.
* **Azure role-based access control**: An authorization system that provides fine-grained access management of Azure resources to grant access at a specific scope level by assigning appropriate Azure roles.

Follow these steps to set the permission model:

1. Click the **Access policy** tab in the **Create a key vault** process.

2. Choose your permission model.

3. Select your **Resource access**.

4. If you choose the default **Vault access policy**, continue to the next step. If you choose **Azure role-based access control**, continue to step 10.

5. Under the **Access policies** heading, click **Create**.

6. Use the **Configure from a template** drop-down to select an existing template.

7. Add the following **Secret permissions**:

   * Get
   * List

   <Note>
     - These permissions must be set for a secret, not a key or certificate.
     - In some scenarios, you may need additional secret permissions. See [Additional configuration for CDC pipelines](#additional-configuration-for-cdc-pipelines), below.
   </Note>

8. Click the **Principal** tab, and select your chosen principal. Only one principal can be assigned per access policy.

9. Click the **Application (optional)** tab and select an application. For more information, read [Managed identities](/docs/guides/azure-managed-identity).

10. Click **Review + Create**, then click **Create**.

***

## Access control IAM

Use the following steps to assign roles and grant access to your Azure Key Vault resource.

1. Access your existing Key Vault resource in your Microsoft [Azure portal](https://portal.azure.com) account.
2. Click on the intended key vault.
3. Click **Access control (IAM)** in the sidebar.
4. Click **Add** from the top menu, then click **Add role assignment**.
5. Select the **Reader** permissions.
6. Click **Next**.
7. In the **Members** tab, select the members you want to assign access to, add an optional description, and add your [application](/docs/guides/azure-managed-identity).
8. Click **Next**, then click **Review + assign**.

***

## Additional configuration for CDC pipelines

Some additional configuration is required to allow a [CDC pipeline](https://docs.matillion.com/data-productivity-cloud/cdc/docs/32111) to be created from a {m_runner} deployed on Azure. In this scenario, complete the following steps.

Add your Azure user to the access policy for the chosen key vault:

1. In the [Azure portal](https://portal.azure.com), find the key vault created from the {s_runner} deployment.
2. In the left navigation menu, click **Access Policies**.
3. Click **+Create**.
4. Under **Secret Permissions**, select the following permissions:
   * Get
   * List
   * Set
   * Delete
5. Click **Next**.
6. Under **Principle**, search for your Azure username and select it.
7. Click **Next**, then click **Next** again.
8. Click **Create**.

Add a new secret in the key vault for the source database password:

1. In the [Azure portal](https://portal.azure.com), find the key vault created from the {s_runner} deployment.
2. In the left navigation menu, click **Objects** → **Secrets**.
3. Click **+Generate/Import**.
4. Enter the following details:
   * **Name:** The name that {maia} will use to refer to the secret.
   * **Secret Value:** The password to be used when connecting to the CDC source.
5. Click **Create**.

Add a new secret to the key vault for storage account access key:

1. In the [Azure portal](https://portal.azure.com), navigate to the storage account created from the {s_runner} deployment.
2. In the left navigation menu, click **Security + networking**, then click **Access keys**.
3. Click the **Show** button next to the key value for **Key1** or **Key2**.
4. Click the **Copy** button to copy the key that is now shown.
5. In the [Azure portal](https://portal.azure.com), find the key vault created from the {s_runner} deployment.
6. In the left navigation menu, click **Objects**, then click **Secrets**.
7. Click **+Generate/Import**.
8. Enter the following details:
   * **Name:** The name that {maia} will use to refer to the secret.
   * **Secret Value:** The password storage key copied in step 4.
9. Click **Create**.
