Skip to content

Key Vault

This guide covers the creation and configuration of Azure Key Vault for use with Raikoo. Key Vault provides secure storage for secrets, API keys, and other sensitive configuration values.

By default, Raikoo uses an internal key vault to securely store your organization's secrets. You can optionally configure your own Azure Key Vault for enhanced control and compliance.

To use a custom Key Vault with Raikoo, you'll need to create both an App Registration (which provides the identity Raikoo uses to authenticate) and a Key Vault (which stores your secrets).

Configuring Key Vault in Raikoo

Organization administrators can configure their key vault settings directly in Raikoo:

  1. Navigate to Organization Settings
  2. Select the Key Vault tab
  3. Choose your provider:
  4. Internal: Use Raikoo's built-in secure storage (default)
  5. Azure Key Vault: Use your own Azure Key Vault

Azure Key Vault Configuration

When selecting Azure Key Vault, you'll need to provide:

  • Vault URI: Your Key Vault's URL (e.g., https://your-vault-name.vault.azure.net)
  • Tenant ID: Your Azure AD tenant identifier
  • Client ID: The Application (client) ID from your App Registration
  • Client Secret: The secret value from your App Registration

!!! note "Security" For security, client secrets are never displayed or pre-filled after saving. You'll need to enter the client secret again if you need to update the configuration.

Automatic Secret Migration

When you change your key vault configuration, Raikoo automatically migrates your existing data to the new vault:

  • Organization Secrets: All secrets stored for your organization
  • OAuth Tokens: Authentication tokens for external integrations
  • AI Provider API Keys: API keys for configured AI providers
  • Storage Account Configuration: If you have a custom storage account configured

The migration process:

  1. Copies all secrets to the new vault
  2. Verifies the migration was successful
  3. Removes secrets from the old vault

If any secrets fail to migrate, the operation is rolled back and your original configuration remains unchanged.

Required Azure Permissions

The App Registration used to access Azure Key Vault must have the Key Vault Secrets Officer role or equivalent permissions that include:

  • secrets/get
  • secrets/set
  • secrets/delete
  • secrets/list

See the sections below for detailed Azure setup instructions.

Create and Configure Application Registration

  1. Navigate to Microsoft Entra ID in the Azure Portal
  2. Go to App registrationsNew registration

  3. Configure the following:

  4. Name: Choose a descriptive name (e.g., "Raikoo Key Vault Access")

  5. Account Type: Accounts in this organizational directory only (My org only)

  6. Click Register

Create and Configure Key Vault

From Azure Portal Create Resource view, click "Create" under "Key Vault".

Fill out the form as follows:

Basics

  • Subscription: Choose subscription
  • Resource group: Choose resource group
  • Key Vault Name: Choose key vault name
  • Region: Choose region (near API, e.g. US East)
  • Pricing Tier: Standard
  • Days to Retain: 90
  • Purge Protection: Disable

Access Configuration

  • Permission Model: Vault access policy
  • Azure VM: True
  • Azure Resource Manager: False
  • Azure Disk Encryption: True

Networking

  • Public Access: Allow all networks

Configure Key Vault

Access Policies -> Create

Permissions

  • Secret permissions: Select all (not privileged)

Principal

Select the App Registration you created above.

Obtaining Key Vault Configuration for Raikoo

To set up a custom Azure Key Vault configuration in Raikoo, you'll need to obtain the following values:

Vault URI

  1. Navigate to your Key Vault in the Azure Portal
  2. Go to Overview
  3. Copy the Vault URI (e.g., https://your-keyvault-name.vault.azure.net/)

Tenant ID

  1. Navigate to Microsoft Entra ID (formerly Azure Active Directory) in the Azure Portal
  2. Go to Overview
  3. Copy the Tenant ID from the Basic Information section

Client ID and Client Secret

These values come from the App Registration you created earlier:

  1. Navigate to Microsoft Entra ID in the Azure Portal
  2. Go to App registrations and select your application
  3. Copy the Application (client) ID from the Overview page — this is your Client ID
  4. Go to Certificates & secretsClient secretsNew client secret
  5. Add a description and select an expiration period
  6. Click Add and immediately copy the Value — this is your Client Secret (it will only be shown once)

Import Data From Source Key Vault

#!/bin/bash

SOURCE_VAULT="source-keyvault-name"
TARGET_VAULT="target-keyvault-name"

# Clone Secrets
az keyvault secret list --vault-name $SOURCE_VAULT --query "[].name" -o tsv | while read secret; do
    value=$(az keyvault secret show --vault-name $SOURCE_VAULT --name $secret --query "value" -o tsv)
    az keyvault secret set --vault-name $TARGET_VAULT --name $secret --value "$value"
done