> ## Documentation Index
> Fetch the complete documentation index at: https://docs.chainloop.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Use Azure KeyVault as secrets backend

A requirement to run your own Chainloop instance, is to have a secure credentials backend where sensitive information such as API tokens can be stored.

If you are running your instance in Azure, you might want to leverage the [Azure KeyVault](https://azure.microsoft.com/en-us/products/key-vault) secret backend for that purpose.
During this guide we'll walk you through the process of a) create/retrieve credentials and configure the Key Vault in Azure and b) deploy Chainloop using that new configuration.

## Pre-requisites

To configure your Chainloop instance with Azure KeyVault you'll need the following information from your Azure account:

* Active Directory Tenant ID
* Service Principal ID
* Service Principal Secret
* Vault URI

We'll walk you through the process of how to find this information

## Register an application to create the service principal

First, you'll need to register an application in your Azure Active Directory tenant. You can do this using the Azure CLI or from the Azure portal

<img src="https://mintcdn.com/chainloop/4m_Z_ZeRnSV7jb7V/guides/deployment/guides/img/azure-1.png?fit=max&auto=format&n=4m_Z_ZeRnSV7jb7V&q=85&s=cf4a82f083878341c748ca6367b359a1" alt="" width="894" height="286" data-path="guides/deployment/guides/img/azure-1.png" />

Once done, in the application overview you should be able to find the tenantID, and Service principal ID

<img src="https://mintcdn.com/chainloop/4m_Z_ZeRnSV7jb7V/guides/deployment/guides/img/azure-3.png?fit=max&auto=format&n=4m_Z_ZeRnSV7jb7V&q=85&s=d645e8f897bef5766bf783753d904ca3" alt="" width="823" height="374" data-path="guides/deployment/guides/img/azure-3.png" />

Next, let's create a secret for the service principal.

<img src="https://mintcdn.com/chainloop/4m_Z_ZeRnSV7jb7V/guides/deployment/guides/img/azure-2.png?fit=max&auto=format&n=4m_Z_ZeRnSV7jb7V&q=85&s=b5d9b8ad90e9512f8f7ca9d6eb5bc1c4" alt="" width="768" height="567" data-path="guides/deployment/guides/img/azure-2.png" />

## Create a Vault instance and give permissions

Next, we'll create a Key Vault (or you can use an existing one)

<img src="https://mintcdn.com/chainloop/4m_Z_ZeRnSV7jb7V/guides/deployment/guides/img/azure-4.png?fit=max&auto=format&n=4m_Z_ZeRnSV7jb7V&q=85&s=4e8fbbaa1fc6634afdc648b6c947c87c" alt="" width="867" height="182" data-path="guides/deployment/guides/img/azure-4.png" />

Take a note on the Vault URI

<img src="https://mintcdn.com/chainloop/4m_Z_ZeRnSV7jb7V/guides/deployment/guides/img/azure-7.png?fit=max&auto=format&n=4m_Z_ZeRnSV7jb7V&q=85&s=6d533aafe42d4d71b766da78db534477" alt="" width="1031" height="353" data-path="guides/deployment/guides/img/azure-7.png" />

Next, in the Vault IAM section, let's give permissions to the service principal by clicking on Add Role Assignment.

<img src="https://mintcdn.com/chainloop/4m_Z_ZeRnSV7jb7V/guides/deployment/guides/img/azure-5.png?fit=max&auto=format&n=4m_Z_ZeRnSV7jb7V&q=85&s=2bcb088130e36a3ffe5715dc72da2548" alt="" width="633" height="273" data-path="guides/deployment/guides/img/azure-5.png" />

on the role assignment role, select "Key Vault Secrets officer"

<img src="https://mintcdn.com/chainloop/4m_Z_ZeRnSV7jb7V/guides/deployment/guides/img/azure-6.png?fit=max&auto=format&n=4m_Z_ZeRnSV7jb7V&q=85&s=af5718e18d2c61d20911ffa42343067c" alt="" width="868" height="538" data-path="guides/deployment/guides/img/azure-6.png" />

and in the members, search for the application we just registered

<img src="https://mintcdn.com/chainloop/4m_Z_ZeRnSV7jb7V/guides/deployment/guides/img/azure-8.png?fit=max&auto=format&n=4m_Z_ZeRnSV7jb7V&q=85&s=24690dd016d61d5771bd2a9813be401d" alt="" width="1263" height="516" data-path="guides/deployment/guides/img/azure-8.png" />

That's all, we got all the information we need, let's just to the deployment.

## Configure Chainloop deployment

As explained in the [deployment guide](../oss), you can configure the credentials backend using the `secretsBackend` section of the `values.yaml` file.

Just put the information we gathered from the previous steps like this.

```yaml theme={"dark"}
secretsBackend:
  backend: azureKeyVault
  azureKeyVault:
    tenantID: [TENANT_ID] # Active Directory Tenant ID
    clientID: [CLIENT_ID] # Registered application / service principal client ID
    clientSecret: [CLIENT_SECRET] # Service principal client secret
    vaultURI: [VAULT URI] # Azure Key Vault URL
```

And deploy your Chainloop Control Plane with the update values to take effect.

Now your Chainloop instance will automatically store any sensitive information in the Azure KeyVault instance you just configured.