Secret Management
Managing secrets for Salem actions
Salem leverages an Azure Key Vault resource to store and access user-provided secrets. This article describes how to configure the Key Vault resource, add secrets, and refrence these secrets in a Salem action definition.
Setting up Key Vault
If you've never added a secret to Salem, you must first ensure your key vault resource is properly configured.
Salem comes preconfigured with a Key Vault resource intended for this purpose. However, you must set up access control to 1) allow Salem resources to read secrets from the Key Vault and 2) enable yourself or those you delegate to add new secrets to the Key Vault.
1) Find your Salem Key Vault in the Azure Portal
The Salem Key Vault can be identified in two ways: 1) the Key Vault resource is located in the Same managed resource group as other Salem resources, 2) you can search for the Key Vault by name (every Salem Key Vault's name begins with "salemvault")
2) Assign IAM roles for the Salem Key Vault
You'll need to make two role assignments in the Key Vault: 1) for the SalemAPI managed identity, and 2) for your user or users you delegate who will add or update secrets in the Vault.
SalemAPI Managed Identity (APIappId)
Key Vault Secrets User
Your User or Group
Key Vault Secrets Officer
Add or Update Secrets
Use the Azure Portal to navigate to your Salem Key Vault resource to add or update secrets that will be referenced in Salem action definitions. The Secret name is arbitrary, but remember what you name the secret so you can
Reference Secrets in Action Definitions
Salem Action Definitions have a Credentials configuration that references a secret in Key Vault. The secret_name parameter should match the name you gave the secret in Key Vault.
"credentials": {
"secret_name": "SecretName"
}OPTIONAL - you can add a "vault_url" parameter with the url of the Key Vault you want Salem to reference, which can be any Key Vault you want to designate, now just the one created with Salem.
Last updated