Configure Azure Key Vault as a Property Source

For application properties used by Unmeshed binaries, you can configure values to be read from Azure Key Vault (AKV). This can be used for any application property configured for a self-managed engine or writer deployment.

Any application property value prefixed with [AKV]. is treated as an Azure Key Vault secret reference.

The value after [AKV]. must be the AKV secret name only. Full secret URLs, versioned secret paths, slashes, and unsupported characters are not supported.

AKV secret names must contain only letters, numbers, and hyphens.

When at least one property uses an [AKV]. reference, the application must know which vault to read from.

Configure this Spring property:

For Linux environment variables, use:

The loader builds the vault URL internally:

If no property value starts with [AKV]., Azure Key Vault is not contacted and stablequark.engine.akvName is not required.

Any Spring application property value can be prefixed with [AKV]..

Properties under stablequark.engine.* use environment variables with the STABLEQUARK_ENGINE_ prefix. For camel-case property names, keep the property name together in uppercase.

The service can authenticate through the standard Azure credential chain, including:

• Environment credentials
• Workload identity
• Managed identity
• Azure CLI or developer credentials, where available

For deployed environments, prefer managed identity or workload identity.

If the deployment must select a specific user-assigned managed identity, set:

If applicable to the credential path, set:

Grant the identity used by the engine or writer service permission to read secrets from the vault.

For RBAC-enabled Key Vaults, assign a role such as Key Vault Secrets User. Scope the assignment to the vault, or to a narrower supported scope when appropriate.

This example configures a vault, a test property, and a datasource password backed by AKV.

For local development, DefaultAzureCredential may use available developer credentials such as Azure CLI credentials. For deployed services, use managed identity or workload identity instead.

Add the AKV configuration to the engine and writer pod environment as needed.

AZURE_CLIENT_ID is only needed when the deployment must select a specific user-assigned managed identity or credential path. Omit it when the default managed identity or workload identity selection is correct for the pod.