Key Vault Secrets Management
Azure Key Vault as single source of truth for 40+ secrets with CI sync, managed identity auth, and file-based secret support.
Key Results
Client
Enterprise SaaS Client
Industry
Sustainability & ESG
Location
Europe
Overview
Enterprise platforms juggle dozens of secrets—database credentials, API keys, service account JSON files. Storing them in code or plain App Settings creates security and audit risks. The platform required secrets for Django, PostgreSQL, Azure Storage, OpenAI, Earth Engine, and dozens of third-party services.
We built a Key Vault–first architecture that loads all secrets at startup, syncs from CI pipelines, and handles special cases like Earth Engine’s JSON key file requirement. A single mapping dictionary drives both runtime loading and CI synchronization.
Architecture Overview
The Challenge
Scattered Storage
Some secrets lived in App Settings, others in environment variables, and developers kept local copies in .env files that could drift out of sync.
Sync Complexity
Adding a new secret meant updating App Settings, Key Vault, and documentation—easy to miss a step and cause runtime failures.
Special Formats
Google Earth Engine requires a JSON key file on disk, not an environment variable. Key Vault stores strings, not files—bridging this gap required creative handling.
Our Solution
Architecture Overview
Key Vault
Single source of truth for all secrets
CI Sync
Pipeline syncs App Settings to Key Vault
Runtime Loader
Managed Identity auth at startup
One Mapping, Two Consumers
A dictionary maps environment variable names to Key Vault secret names. The Django app uses it to load secrets at startup; the CI script uses it to sync App Settings into Key Vault before deployment.
Managed Identity Auth
On Azure, the app uses DefaultAzureCredential with Managed Identity—no credentials stored anywhere. Locally, developers use az login or staging Key Vault access.
File-Based Secrets
For Earth Engine, the JSON key is stored as a secret string. At startup, a helper writes it to a temp file and sets the path in an environment variable—the SDK sees a file, Key Vault stores a string.
Graceful Degradation
Missing optional secrets don’t crash startup—ResourceNotFoundError is caught and logged. Secrets are fetched once per process and cached, avoiding repeated Key Vault calls.
Performance Metrics
Transaction Throughput
Response Time Distribution
40+
Managed Secrets
Zero
Secrets in Code
1
Source of Truth
1x
Fetch per Process
Technology Stack
Security
- Azure Key Vault
- Managed Identity
- DefaultAzureCredential
Backend
- Django
- Python 3.11
- PostgreSQL
CI/CD
- GitHub Actions
- Azure App Service
- Azure CLI
Outcomes & Impact
Security Impact
- All 40+ secrets managed in Key Vault with full audit trail
- Zero secrets in source code or plain text configuration
- Managed Identity eliminates credential storage entirely
Developer Experience
- New secrets added with one-line changes in two files
- Environment parity across production, staging, and local development
- Earth Engine and other file-based SDKs work seamlessly with Key Vault
Operational Efficiency
- In-memory caching eliminates repeated Key Vault calls during request handling
- Graceful degradation—missing optional secrets don’t crash startup
- CI sync guarantees Key Vault is always in sync before deploy
“The secrets management architecture is exactly what we needed—clean, auditable, and zero overhead for the development team. Adding new integrations is trivial now.”
Platform Lead
Enterprise Client
Related Case Studies
Dual-Queue Task System
Zero-infrastructure background processing with dual-queue architecture handling heavy GEE analysis alongside lightweight tasks without Redis or Celery.
GDPR Audit Logging
Middleware-based audit system automatically capturing login, logout, data access, modification, and deletion for every request.
CI/CD Pipeline with Auto-Migrate
Automated deployment pipeline with secret sync, deterministic startup, post-deploy health checks, and zero manual steps.
Ready to build something similar?
Let's discuss how we can apply the same engineering excellence to your project.