automation-suite

true

Automation Suite on EKS/AKS installation guide

Last updated Nov 13, 2025

Configuring Azure Key Vault as a secretstore

You can configure Azure Key Vault as a secretstore using either of the following methods:

Service Principal authentication
Workload Identity authentication

By default, all sensitive data is defined in input.json. You can separate this data into two parts:

input.json - contains only configuration data.
Azure Key Vault - stores credentials securely.

Note: You cannot store certificate paths or certificate-related credentials as part of the secretstore.

Ensure that all credentials are created as secrets within the Azure Key Vault before configuring the secretstore.

Using Service Principal authentication

To configure Azure Key Vault as secretstore using Service Principal authentication, take the following steps:.

For uipathctl to identify that the credentials are stored in the Azure Key Vault, you must add the secretstore section to input.json , as shown in the following example:
```
"secret_store": {
  "enabled": true,
  "provider_configs": [
    {
      "type": "azure",
      "credentials_secret_name": "azure-service-principal-secret",
      "refresh_interval": "5m",
      "name": "azure-secret-store",
      "azure_kv": {
        "vault_url": "https://eso-azure-kv.vault.azure.net/",
        "tenant_id": "d8353d2a-b153-4d17-8827-902c51f72357"
      }
    }
  ]
}"secret_store": {
  "enabled": true,
  "provider_configs": [
    {
      "type": "azure",
      "credentials_secret_name": "azure-service-principal-secret",
      "refresh_interval": "5m",
      "name": "azure-secret-store",
      "azure_kv": {
        "vault_url": "https://eso-azure-kv.vault.azure.net/",
        "tenant_id": "d8353d2a-b153-4d17-8827-902c51f72357"
      }
    }
  ]
}
```

Create a Kubernetes secret that stores the Azure Service Principal credentials, as shown in the following example:

apiVersion: v1
kind: Secret
metadata:
  name: azure-service-principal-secret
type: Opaque
stringData:
  clientId: <client-id>
  clientSecret: <client-secret>apiVersion: v1
kind: Secret
metadata:
  name: azure-service-principal-secret
type: Opaque
stringData:
  clientId: <client-id>
  clientSecret: <client-secret>

Deploy the secret in the uipath namespace using the following command:

kubectl apply -f azure-service-principal-secret -n uipathkubectl apply -f azure-service-principal-secret -n uipath

Update the credential values in input.json to reference secrets stored in Azure Key Vault using the following format:
```
vault/<vault-name>/<key-stored-in-the-vault>vault/<vault-name>/<key-stored-in-the-vault>
```
Where:
- vault – static keyword.
- vault-name – the value of secret_store.provider_configs[i].name (for example, azure-secret-store).
- key-stored-in-the-vault – the name of the secret as stored in Azure Key Vault.
Before the change, your credentials might look like this:
```
"admin_username": "admin",
"admin_password": "password","admin_username": "admin",
"admin_password": "password",
```
After updating them to reference Azure Key Vault, they should look like this:
```
"admin_username": "vault/azure-secret-store/admin-username-1234",
"admin_password": "vault/azure-secret-store/admin-password-1234","admin_username": "vault/azure-secret-store/admin-username-1234",
"admin_password": "vault/azure-secret-store/admin-password-1234",
```
The following image shows the secrets stored in Azure Key Vault.

The following sample displays an input.json configuration with credentials stored in Azure Key Vault.

{
  "admin_password": "vault/azure-secret-store/admin-password-1234",
  "admin_username": "vault/azure-secret-store/admin-username-1234",
  "apps": {
    "enabled": true,
    "external_object_storage": {
      "account_key": "vault/azure-secret-store/apps-external-object-storage-account-key-1234",
      "account_name": "as-storage-account",
      "azure_fqdn_suffix": "core.windows.net",
      "bucket_name": "uipath-as-platform",
      "create_bucket": true,
      "enabled": true,
      "region": "us-east-1",
      "storage_type": "azure",
      "use_instance_profile": true
    }
  },
  "exclude_components": [],
  "external_object_storage": {
    "account_key": "vault/azure-secret-store/external-object-storage-account-key-1234",
    "account_name": "as-storage-account",
    "azure_fqdn_suffix": "core.windows.net",
    "create_bucket": true,
    "enabled": true,
    "region": "us-east-1",
    "storage_type": "azure",
    "use_instance_profile": true
  },
  "fabric": {
    "redis": {
      "hostname": "redis-cache.mycompany.com",
      "password": "vault/azure-secret-store/fabric-redis-password-1234",
      "port": 6380,
      "tls": true
    }
  },
  "fqdn": "automationsuite.mycompany.com",
  "infra": {
    "docker_registry": {}
  },
  "ingress": {
    "gateway_selector": {
      "istio": "ingressgateway"
    },
    "service_annotations": {
      "service.beta.kubernetes.io/azure-load-balancer-internal": "false",
      "service.beta.kubernetes.io/azure-load-balancer-ipv4": "ip-address"
    }
  },
  "install_type": "online",
  "integrationservices": {
    "enabled": true,
    "external_object_storage": {
      "bucket_name": "uipath-as-platform"
    }
  },
  "istioMinProtocolVersion": "TLSV1_3",
  "kubernetes_distribution": "aks",
  "orchestrator": {
    "enabled": true,
    "external_object_storage": {
      "account_key": "vault/azure-secret-store/orchestrator-external-object-storage-account-key-1234",
      "account_name": "os-storage-account",
      "azure_fqdn_suffix": "core.windows.net",
      "bucket_name": "uipath-as-orchestrator",
      "create_bucket": true,
      "enabled": true,
      "region": "us-east-1",
      "storage_type": "azure",
      "use_instance_profile": true
    },
    "sql_connection_str": "vault/azure-secret-store/orchestrator-sql-connection-str-1234",
    "testautomation": {
      "enabled": true
    },
    "updateserver": {
      "enabled": true
    }
  },
  "platform": {
    "enabled": true
  },
  "pod_identity": {
    "aks_managed_identity_client_id": "client-id",
    "enabled": true
  },
  "postgresql_connection_string_template_sqlalchemy_pyodbc": "vault/azure-secret-store/postgresql-connection-string-template-sqlalchemy-pyodbc-1234",
  "profile": "ha",
  "proxy": {
    "enabled": true,
    "http_proxy": "\u003c\u003chttp://\u003cPROXY-SERVER-IP\u003e\u003e:\u003cPROXY-PORT\u003e",
    "https_proxy": "\u003c\u003chttp://\u003cPROXY-SERVER-IP\u003e\u003e:\u003cPROXY-PORT\u003e",
    "no_proxy": "paste list from Configuring the cluster section"
  },
  "registries": {
    "docker": {
      "password": "",
      "pull_secret_name": "registry-credentials",
      "url": "registry.uipath.com",
      "username": ""
    },
    "helm": {
      "password": "",
      "url": "registry.uipath.com",
      "username": ""
    }
  },
  "secret_store": {
    "enabled": true,
    "secret_name": "",
    "provider_configs": [
      {
        "type": "azure",
        "credentials_secret_name": "azure-service-principal-secret",
        "is_default": true,
        "refresh_interval": "5m",
        "name": "azure-secret-store",
        "azure_kv": {
          "vault_url": "https://eso-azure-kv.vault.azure.net/",
          "tenant_id": "d8353d2a-b153-4d17-8827-902c51f72357",
          "managed_identity_id": null
        },
        "aws_kv": {
          "role_arn": null
        },
        "hashicorp_kv": {}
      }
    ]
  },
  "snapshot": {
    "aks_infra_resource_group": "MC_ci-asaks4002399_ci-asaks4002399_eastus",
    "enabled": true,
    "external_object_storage": {
      "account_name": "storaccid2547865",
      "auth_mode": "ServicePrincipal",
      "bucket_name": "uipath-backup",
      "client_id": "1fbd7d95-5f8c-4f70-90a6-fdf20310d10e",
      "client_secret": "vault/azure-secret-store/snapshot-external-object-storage-client-secret-1234",
      "cloud_name": "AzurePublicCloud",
      "resource_group": "ci-asaks4002399",
      "storage_type": "azure",
      "subscription_id": "b65b0225-ce9b-4a79-9dd9-c00071d40d64",
      "tenant_id": "d8353d2a-b153-4d17-8827-902c51f72357"
    }
  },
  "sql_connection_string_template": "vault/azure-secret-store/sql-connection-string-template-1234",
  "sql_connection_string_template_jdbc": "vault/azure-secret-store/sql-connection-string-template-jdbc-1234",
  "sql_connection_string_template_odbc": "vault/azure-secret-store/sql-connection-string-template-odbc-1234",
  "sql_connection_string_template_sqlalchemy_pyodbc": "vault/azure-secret-store/sql-connection-string-template-sqlalchemy-pyodbc-1234",
  "storage_class": "managed-premium",
  "storage_class_single_replica": "azurefile-csi",
  "test_manager": {
    "enabled": true,
    "external_object_storage": {
      "bucket_name": "uipath-as-platform"
    }
  },
  "tolerations": []
}{
  "admin_password": "vault/azure-secret-store/admin-password-1234",
  "admin_username": "vault/azure-secret-store/admin-username-1234",
  "apps": {
    "enabled": true,
    "external_object_storage": {
      "account_key": "vault/azure-secret-store/apps-external-object-storage-account-key-1234",
      "account_name": "as-storage-account",
      "azure_fqdn_suffix": "core.windows.net",
      "bucket_name": "uipath-as-platform",
      "create_bucket": true,
      "enabled": true,
      "region": "us-east-1",
      "storage_type": "azure",
      "use_instance_profile": true
    }
  },
  "exclude_components": [],
  "external_object_storage": {
    "account_key": "vault/azure-secret-store/external-object-storage-account-key-1234",
    "account_name": "as-storage-account",
    "azure_fqdn_suffix": "core.windows.net",
    "create_bucket": true,
    "enabled": true,
    "region": "us-east-1",
    "storage_type": "azure",
    "use_instance_profile": true
  },
  "fabric": {
    "redis": {
      "hostname": "redis-cache.mycompany.com",
      "password": "vault/azure-secret-store/fabric-redis-password-1234",
      "port": 6380,
      "tls": true
    }
  },
  "fqdn": "automationsuite.mycompany.com",
  "infra": {
    "docker_registry": {}
  },
  "ingress": {
    "gateway_selector": {
      "istio": "ingressgateway"
    },
    "service_annotations": {
      "service.beta.kubernetes.io/azure-load-balancer-internal": "false",
      "service.beta.kubernetes.io/azure-load-balancer-ipv4": "ip-address"
    }
  },
  "install_type": "online",
  "integrationservices": {
    "enabled": true,
    "external_object_storage": {
      "bucket_name": "uipath-as-platform"
    }
  },
  "istioMinProtocolVersion": "TLSV1_3",
  "kubernetes_distribution": "aks",
  "orchestrator": {
    "enabled": true,
    "external_object_storage": {
      "account_key": "vault/azure-secret-store/orchestrator-external-object-storage-account-key-1234",
      "account_name": "os-storage-account",
      "azure_fqdn_suffix": "core.windows.net",
      "bucket_name": "uipath-as-orchestrator",
      "create_bucket": true,
      "enabled": true,
      "region": "us-east-1",
      "storage_type": "azure",
      "use_instance_profile": true
    },
    "sql_connection_str": "vault/azure-secret-store/orchestrator-sql-connection-str-1234",
    "testautomation": {
      "enabled": true
    },
    "updateserver": {
      "enabled": true
    }
  },
  "platform": {
    "enabled": true
  },
  "pod_identity": {
    "aks_managed_identity_client_id": "client-id",
    "enabled": true
  },
  "postgresql_connection_string_template_sqlalchemy_pyodbc": "vault/azure-secret-store/postgresql-connection-string-template-sqlalchemy-pyodbc-1234",
  "profile": "ha",
  "proxy": {
    "enabled": true,
    "http_proxy": "\u003c\u003chttp://\u003cPROXY-SERVER-IP\u003e\u003e:\u003cPROXY-PORT\u003e",
    "https_proxy": "\u003c\u003chttp://\u003cPROXY-SERVER-IP\u003e\u003e:\u003cPROXY-PORT\u003e",
    "no_proxy": "paste list from Configuring the cluster section"
  },
  "registries": {
    "docker": {
      "password": "",
      "pull_secret_name": "registry-credentials",
      "url": "registry.uipath.com",
      "username": ""
    },
    "helm": {
      "password": "",
      "url": "registry.uipath.com",
      "username": ""
    }
  },
  "secret_store": {
    "enabled": true,
    "secret_name": "",
    "provider_configs": [
      {
        "type": "azure",
        "credentials_secret_name": "azure-service-principal-secret",
        "is_default": true,
        "refresh_interval": "5m",
        "name": "azure-secret-store",
        "azure_kv": {
          "vault_url": "https://eso-azure-kv.vault.azure.net/",
          "tenant_id": "d8353d2a-b153-4d17-8827-902c51f72357",
          "managed_identity_id": null
        },
        "aws_kv": {
          "role_arn": null
        },
        "hashicorp_kv": {}
      }
    ]
  },
  "snapshot": {
    "aks_infra_resource_group": "MC_ci-asaks4002399_ci-asaks4002399_eastus",
    "enabled": true,
    "external_object_storage": {
      "account_name": "storaccid2547865",
      "auth_mode": "ServicePrincipal",
      "bucket_name": "uipath-backup",
      "client_id": "1fbd7d95-5f8c-4f70-90a6-fdf20310d10e",
      "client_secret": "vault/azure-secret-store/snapshot-external-object-storage-client-secret-1234",
      "cloud_name": "AzurePublicCloud",
      "resource_group": "ci-asaks4002399",
      "storage_type": "azure",
      "subscription_id": "b65b0225-ce9b-4a79-9dd9-c00071d40d64",
      "tenant_id": "d8353d2a-b153-4d17-8827-902c51f72357"
    }
  },
  "sql_connection_string_template": "vault/azure-secret-store/sql-connection-string-template-1234",
  "sql_connection_string_template_jdbc": "vault/azure-secret-store/sql-connection-string-template-jdbc-1234",
  "sql_connection_string_template_odbc": "vault/azure-secret-store/sql-connection-string-template-odbc-1234",
  "sql_connection_string_template_sqlalchemy_pyodbc": "vault/azure-secret-store/sql-connection-string-template-sqlalchemy-pyodbc-1234",
  "storage_class": "managed-premium",
  "storage_class_single_replica": "azurefile-csi",
  "test_manager": {
    "enabled": true,
    "external_object_storage": {
      "bucket_name": "uipath-as-platform"
    }
  },
  "tolerations": []
}

Using Workload Identity authentication

You can configure Azure Key Vault as a secretstore using Workload Identity authentication instead of a Service Principal.

Workload Identity allows Kubernetes pods to access Azure resources without storing credentials in Kubernetes secrets.

Depending on your setup, you can either use the global workload identity that applies to all components or configure a separate workload identity specifically for Azure Key Vault, as follows:

Use global workload identity

"pod_identity": {
  "aks_managed_identity_client_id": "managed-identity-id",
  "enabled": true
},
"secret_store": {
  "enabled": true,
  "provider_configs": [
    {
      "type": "azure",
      "refresh_interval": "5m",
      "name": "azure-secret-store",
      "azure_kv": {
        "vault_url": "https://eso-azure-kv.vault.azure.net/"
      }
    }
  ]
}"pod_identity": {
  "aks_managed_identity_client_id": "managed-identity-id",
  "enabled": true
},
"secret_store": {
  "enabled": true,
  "provider_configs": [
    {
      "type": "azure",
      "refresh_interval": "5m",
      "name": "azure-secret-store",
      "azure_kv": {
        "vault_url": "https://eso-azure-kv.vault.azure.net/"
      }
    }
  ]
}

Use a separate workload identity for Azure Key Vault

"secret_store": {
  "enabled": true,
  "provider_configs": [
    {
      "type": "azure",
      "refresh_interval": "5m",
      "name": "azure-secret-store",
      "azure_kv": {
        "vault_url": "https://eso-azure-kv.vault.azure.net/",
        "managed_identity_id": "managed-identity-id"
      }
    }
  ]
}"secret_store": {
  "enabled": true,
  "provider_configs": [
    {
      "type": "azure",
      "refresh_interval": "5m",
      "name": "azure-secret-store",
      "azure_kv": {
        "vault_url": "https://eso-azure-kv.vault.azure.net/",
        "managed_identity_id": "managed-identity-id"
      }
    }
  ]
}

Configuring managed identity for External Secrets Operator

To enable the External Secrets Operator to access Azure Key Vault using workload identity, take the following steps:

Perform the steps described in the Workload identity configuration to provide federated credentials to the required service accounts.
In addition to step 3 of the Workload Identity configuration, run the following command to create federated credentials for the External Secrets Operator:
```
create_federated_credentials "uipath" "external-secrets"create_federated_credentials "uipath" "external-secrets"
```

Assign the required roles to the managed identity so it can access secrets in Azure Key Vault:

az role assignment create --assignee $userAssignedManagedIdentityObjectId --role "Key Vault Secrets User" --scope "/subscriptions/$($infraJson.subscription_id)/resourceGroups/$(TARGET_RG)/providers/Microsoft.KeyVault/vaults/$VAULT_NAME"
az role assignment create --assignee $userAssignedManagedIdentityObjectId --role "Key Vault Reader" --scope "/subscriptions/$($infraJson.subscription_id)/resourceGroups/$(TARGET_RG)/providers/Microsoft.KeyVault/vaults/$VAULT_NAME"az role assignment create --assignee $userAssignedManagedIdentityObjectId --role "Key Vault Secrets User" --scope "/subscriptions/$($infraJson.subscription_id)/resourceGroups/$(TARGET_RG)/providers/Microsoft.KeyVault/vaults/$VAULT_NAME"
az role assignment create --assignee $userAssignedManagedIdentityObjectId --role "Key Vault Reader" --scope "/subscriptions/$($infraJson.subscription_id)/resourceGroups/$(TARGET_RG)/providers/Microsoft.KeyVault/vaults/$VAULT_NAME"

Configuring external OCI-compliant private registry

When using a private registry, if you do not want to configure the registry credentials in input.json, you can provide them as a Kubernetes secret instead, as shown in the following example:

"registries": {
  "docker": {
    "pull_secret_name": "registry-credentials",
    "url": "sfbrdevhelmweacr.azurecr.io"
  }
}"registries": {
  "docker": {
    "pull_secret_name": "registry-credentials",
    "url": "sfbrdevhelmweacr.azurecr.io"
  }
}

Create the Kubernetes secret that stores the registry credentials, as shown in the following example:

apiVersion: v1
kind: Secret
metadata:
  name: registry-credentials
type: Opaque
data:
  url: base64Encode(sfbrdevhelmweacr.azurecr.io)
  username: base64Encode(<registry-username>)
  password: base64Encode(<registry-password>)apiVersion: v1
kind: Secret
metadata:
  name: registry-credentials
type: Opaque
data:
  url: base64Encode(sfbrdevhelmweacr.azurecr.io)
  username: base64Encode(<registry-username>)
  password: base64Encode(<registry-password>)

Apply the secret in the uipath namespace using the following command:

kubectl apply -f registry-credentials.yaml -n uipathkubectl apply -f registry-credentials.yaml -n uipath

On this page

Using Service Principal authentication
Using Workload Identity authentication
Configuring managed identity for External Secrets Operator
Configuring external OCI-compliant private registry

Was this page helpful?

PREVIOUSConfiguring a Kubernetes Secret as a secretstore

NEXTInstalling and configuring the service mesh

Support and Services

Get The Help You Need

UiPath Academy

Learning RPA - Automation Courses

UiPath Forum

UiPath Community Forum

Trust and Security

Cookies Policy