Azure Key Vault is a cloud service for securely storing and accessing secrets, keys, and certificates. Using Azure Key Vault to store Couchbase credentials (rather than application settings or environment variables) provides encryption at rest, version history, cross-application secret sharing, and optional activation/expiration dates. This post covers two approaches: retrieving Couchbase Server credentials from Azure Key Vault via an Azure Function, and Couchbase Capella’s native Customer-Managed Encryption Keys (CMEK) integration with Azure Key Vault.
Local Configuration Files vs Azure Key Vault
Many applications start by storing credentials in local configuration files such as appsettings.json, local.settings.json, or environment-specific JSON files. That can work for local development, but it is not ideal for production secrets, especially if the file is checked into source control, copied between environments, or deployed with the application.
| Feature | Local Configuration Files | Azure Key Vault |
| Encryption at rest | Plaintext storage | AES-256 encrypted by default |
| Cross-app secret sharing | Per-app only | Shared single vault across multiple apps/services |
| Version history | No | Full version history with activation/expiration dates |
| Role-based access control (RBAC) | App-level only | Granular access policies per secret, per identity |
| Capella CMEK integration | No | Yes, native Azure Key Vault CMEK support |
| Use case | Simple app-specific config | Sensitive credentials, shared secrets, compliance requirements |
Approach 1: Azure Function Retrieving Couchbase Credentials from Key Vault
To demonstrate this approach, we’ll create an Azure Function with a system-assigned managed identity to retrieve Couchbase Server username and password from Azure Key Vault at runtime. The application never stores credentials directly.
Prerequisites
- Azure Key Vault with secrets for Couchbase username and password
- Azure Function App with system-assigned managed identity enabled
- Key Vault access granted to the Function App’s managed identity:
- Azure RBAC: Key Vault Secrets User role
- Vault access policy: Get secret permission
Key Vault Secret References in Azure Functions
Azure Functions support Key Vault references directly in application settings – no custom code required. Set an app setting value to:
@Microsoft.KeyVault(SecretUri=couchbases://cb.<redacted>.cloud.couchbase.com)
The Azure Functions runtime resolves the reference at startup.
Approach 2: Couchbase Capella Native Azure Key Vault CMEK
Couchbase Capella supports Customer-Managed Encryption Keys (CMEK) via Azure Key Vault. This means Capella uses your Azure Key Vault key to encrypt cluster data at rest – giving you control over the encryption key lifecycle, rotation, and revocation.
CMEK Prerequisites
- Azure Key Vault (Standard or Premium tier, including HSM-backed keys)
- RSA encryption key in Azure Key Vault: 2048-bit, 3072-bit, or 4096-bit
- Key Vault in the same Azure region as your Capella cluster
- Couchbase Capella Enterprise plan
CMEK Setup Steps
- In Capella, enable CMEK for Azure on your organization or project via the Management API.
- Retrieve the Capella Azure CMEK application ID (a service principal created by Couchbase in your tenant).
- In Azure, assign the service principal the Key Vault Crypto Service Encryption User role (RBAC) or equivalent access policy.
- Add your Key Identifier URI to Capella and create or apply CMEK to your cluster.
| CMEK Capability | Detail |
| Azure Key Vault tier | Standard and Premium supported (including HSM keys) |
| Key type | RSA symmetric: 2048, 3072, or 4096-bit |
| Key granularity | Couchbase recommends 1 key per cluster; project-level keys available |
| Key rotation | You control rotation schedule (via Management UI) |
| Key revocation | Revoking the key in Azure prevents Capella from accessing cluster data |
| Availability Plan | Enterprise plan required |
Frequently Asked Questions
What is Azure Key Vault?
A cloud service for securely storing and accessing secrets (passwords, API keys), keys (encryption keys), and certificates. It provides AES-256 encryption at rest, role-based access control, version history, and activation/expiration dates for secrets.
Why use Azure Key Vault instead of app settings for Couchbase credentials?
App settings store values as plaintext and are scoped to a single application. Azure Key Vault encrypts secrets at rest, enables sharing across multiple services, provides version history, and supports granular RBAC. Use Key Vault when credentials are sensitive or shared across multiple Azure services.
Does Couchbase Capella support Azure Key Vault?
Yes. Couchbase Capella supports Customer-Managed Encryption Keys (CMEK) via Azure Key Vault natively. Capella uses your Azure Key Vault key to encrypt cluster data at rest, giving you control over key lifecycle and revocation. CMEK requires the Enterprise plan.
What is Couchbase Capella CMEK?
Customer-Managed Encryption Keys (CMEK) allows Capella to use an encryption key from your own Azure Key Vault (or AWS KMS/GCP KMS) instead of Couchbase-managed keys, for data-at-rest encryption. You control key rotation, geographic storage, and can revoke access at any time.
What Azure Key Vault tier does Capella CMEK require?
Capella CMEK supports both Standard and Premium tiers of Azure Key Vault, including Managed HSM keys. The key must be a 2048-bit, 3072-bit, or 4096-bit RSA symmetric key. The Key Vault must be in the same Azure region as your Capella cluster.
Summary and Next Steps
Azure Key Vault provides a significantly more secure and manageable approach to storing Couchbase credentials than app settings or environment variables. For Azure Functions, use Key Vault references directly in app settings — no custom SDK code required. For Couchbase Capella, native CMEK integration with Azure Key Vault gives you full control over your cluster’s data-at-rest encryption key lifecycle, satisfying enterprise compliance requirements for key management sovereignty.
If you have any questions about this blog post, feel free to leave a comment below or find me on X @mgroves.
If you have a specific technical question about Couchbase, please check out the Couchbase Forums.

Leave a comment
You must be logged in to post a comment.