USE AZURE KEY VAULT
Prerequisites
- Azure credentials available via
DefaultAzureCredential(environment variablesAZURE_CLIENT_ID,AZURE_TENANT_ID,AZURE_CLIENT_SECRET; oraz login; or managed identity) - An existing Azure Key Vault instance
Pull the Extension
swamp extension pull @swamp/azure-kvCreate the Vault
swamp vault create @swamp/azure-kv my-azure-vault \
--config '{"vault_url": "https://my-vault.vault.azure.net"}'Store Secrets
swamp vault put my-azure-vault api-key sk-live-abc123
swamp vault put my-azure-vault db-password s3cret-p4ssSlashes and underscores in secret keys are converted to hyphens — Azure Key
Vault only allows alphanumeric characters and hyphens. Use secret_prefix in
the config to namespace secrets when sharing a vault across multiple swamp
instances.
Annotate Secrets (Optional)
If the provider version supports annotations, attach provenance metadata to stored secrets.
swamp vault annotate my-azure-vault api-key \
--url https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps \
--notes "Service principal client secret" \
--label env=prod --label team=platformOnly the fields you specify are updated. To add a label without changing the URL or notes:
swamp vault annotate my-azure-vault api-key --label rotation=monthlyTo remove a label:
swamp vault annotate my-azure-vault api-key --remove-label rotationTo remove all annotations from a secret:
swamp vault annotate my-azure-vault api-key --clearInspect Annotations
swamp vault inspect my-azure-vault api-keyINF vault·inspect Annotation for "api-key" in vault "my-azure-vault":
INF vault·inspect url: "https://portal.azure.com/#view/..."
INF vault·inspect notes: "Service principal client secret"
INF vault·inspect label: "env"="prod"
INF vault·inspect label: "team"="platform"
INF vault·inspect updated: "2026-05-23T02:04:58.668Z"Use --json for structured output.
Reference Secrets in Models
globalArguments:
api_key: "${{ vault.get('my-azure-vault', 'api-key') }}"See the Vaults reference for CEL integration, environment variable mounting, and the full CLI command reference.