Azure Kv
Read, write, and delete secrets stored in Azure Key Vault. Supports secret
annotations via swamp vault annotate and swamp vault inspect.
Authentication
Uses DefaultAzureCredential — no credentials in config. Provide
credentials via one of:
- Environment variables:
AZURE_CLIENT_ID,AZURE_TENANT_ID,AZURE_CLIENT_SECRET - Azure CLI:
az login - Managed Identity attached to the VM or container
Usage
swamp vault create @swamp/azure-kv my-azure-kv \
--config '{"vault_url": "https://my-vault.vault.azure.net"}' --json
swamp vault get my-azure-kv my-secret --json
swamp vault put my-azure-kv my-secret "s3cr3t" --json
swamp vault delete my-azure-kv my-secret --json
swamp vault list-keys my-azure-kv --json
swamp vault annotate my-azure-kv my-secret --url https://console.azure.com --note "Production key"
swamp vault inspect my-azure-kv my-secret --jsonSecret Key Format
Secret keys map to Azure Key Vault secret names. Slashes and underscores are
converted to hyphens (Azure only allows alphanumeric characters and hyphens).
Use secret_prefix to namespace secrets when sharing a vault across multiple
swamp instances.
Annotations
Annotations are stored as Azure Key Vault secret tags with a swamp. prefix.
URL, notes, and updatedAt use swamp.url, swamp.notes, swamp.updatedAt.
Labels use swamp.label.<key>. Non-swamp tags are preserved across annotation
operations. Annotation operations use the same secret data-plane permissions
(Get, Set) — no additional Azure RBAC grants are needed.
Azure Key Vault vault provider. Uses DefaultAzureCredential for authentication.
Config Fields
| Field | Type | Description |
|---|---|---|
| vault_url | string | Full URL of the Azure Key Vault e.g. https://my-vault.vault.azure.net |
| secret_prefix? | string | Optional prefix to namespace secrets within the vault e.g. swamp- to scope all reads and writes |
updated labels
Not yet scored.
A score will be generated the next time this extension is published. The owner can also trigger scoring manually.