Azure Key Vault
Resolve environment variables from Azure Key Vault with managed identity support.
Installation
Install the Azure SDK peer dependencies:
npm install @azure/keyvault-secrets @azure/identitypnpm add @azure/keyvault-secrets @azure/identitybun add @azure/keyvault-secrets @azure/identityyarn add @azure/keyvault-secrets @azure/identityBasic usage
import { createEnv, requiredString } from "@ayronforge/better-env"
import { fromAzureKeyVault } from "@ayronforge/better-env/azure"
import { Effect } from "effect"
const envEffect = createEnv({
server: {
DATABASE_URL: requiredString,
API_KEY: requiredString,
},
resolvers: [
fromAzureKeyVault({
secrets: {
DATABASE_URL: "database-url",
API_KEY: "api-key",
},
vaultUrl: "https://my-vault.vault.azure.net",
}),
],
})
const env = await Effect.runPromise(envEffect)Options
| Name | Type | Default | Description |
|---|---|---|---|
| secrets Required | Record<string, string> | — | Map of env var names to Azure Key Vault secret names. |
| vaultUrl Required | string | — | Azure Key Vault URL. |
| credential | unknown | — | Azure credential. Defaults to DefaultAzureCredential. |
Default credentials
By default, the resolver uses DefaultAzureCredential from @azure/identity, which supports:
- Managed identity (Azure VMs, App Service, Functions)
- Azure CLI credentials (local development)
- Environment variables (
AZURE_CLIENT_ID,AZURE_CLIENT_SECRET,AZURE_TENANT_ID)
You can provide a custom credential:
import { ClientSecretCredential } from "@azure/identity"
fromAzureKeyVault({
secrets: { API_KEY: "api-key" },
vaultUrl: "https://my-vault.vault.azure.net",
credential: new ClientSecretCredential(tenantId, clientId, clientSecret),
})