Couchbase Server

Azure Key Vault for Credentials

5 MIN READ

Azure Key Vault is a cloud service for securely storing and accessing secrets, keys, and certificates. Using Azure Key Vault to store Couchbase credentials (rather than application settings or environment variables) provides encryption at rest, version history, cross-application secret sharing, and optional activation/expiration dates. This post covers two approaches: retrieving Couchbase Server credentials from Azure Key Vault via an Azure Function, and Couchbase Capella’s native Customer-Managed Encryption Keys (CMEK) integration with Azure Key Vault.

Local Configuration Files vs Azure Key Vault

Many applications start by storing credentials in local configuration files such as appsettings.json, local.settings.json, or environment-specific JSON files. That can work for local development, but it is not ideal for production secrets, especially if the file is checked into source control, copied between environments, or deployed with the application.

FeatureLocal Configuration FilesAzure Key Vault
Encryption at restPlaintext storageAES-256 encrypted by default
Cross-app secret sharingPer-app onlyShared single vault across multiple apps/services
Version historyNoFull version history with activation/expiration dates
Role-based access control (RBAC)App-level onlyGranular access policies per secret, per identity
Capella CMEK integrationNoYes, native Azure Key Vault CMEK support
Use caseSimple app-specific configSensitive credentials, shared secrets, compliance requirements

Approach 1: Azure Function Retrieving Couchbase Credentials from Key Vault

To demonstrate this approach, we’ll create an Azure Function with a system-assigned managed identity to retrieve Couchbase Server username and password from Azure Key Vault at runtime. The application never stores credentials directly.

Prerequisites

  • Azure Key Vault with secrets for Couchbase username and password
  • Azure Function App with system-assigned managed identity enabled
  • Key Vault access granted to the Function App’s managed identity:
    • Azure RBAC: Key Vault Secrets User role
    • Vault access policy: Get secret permission

Key Vault Secret References in Azure Functions

Azure Functions support Key Vault references directly in application settings – no custom code required. Set an app setting value to:

@Microsoft.KeyVault(SecretUri=couchbases://cb.<redacted>.cloud.couchbase.com)

The Azure Functions runtime resolves the reference at startup.

Approach 2: Couchbase Capella Native Azure Key Vault CMEK

Couchbase Capella supports Customer-Managed Encryption Keys (CMEK) via Azure Key Vault. This means Capella uses your Azure Key Vault key to encrypt cluster data at rest – giving you control over the encryption key lifecycle, rotation, and revocation.

CMEK Prerequisites

  • Azure Key Vault (Standard or Premium tier, including HSM-backed keys)
  • RSA encryption key in Azure Key Vault: 2048-bit, 3072-bit, or 4096-bit
  • Key Vault in the same Azure region as your Capella cluster
  • Couchbase Capella Enterprise plan

CMEK Setup Steps

  1. In Capella, enable CMEK for Azure on your organization or project via the Management API.
  2. Retrieve the Capella Azure CMEK application ID (a service principal created by Couchbase in your tenant).
  3. In Azure, assign the service principal the Key Vault Crypto Service Encryption User role (RBAC) or equivalent access policy.
  4. Add your Key Identifier URI to Capella and create or apply CMEK to your cluster.
CMEK CapabilityDetail
Azure Key Vault tierStandard and Premium supported (including HSM keys)
Key typeRSA symmetric: 2048, 3072, or 4096-bit
Key granularity Couchbase recommends 1 key per cluster; project-level keys available
Key rotation You control rotation schedule (via Management UI)
Key revocationRevoking the key in Azure prevents Capella from accessing cluster data
Availability PlanEnterprise plan required

Frequently Asked Questions

What is Azure Key Vault?

A cloud service for securely storing and accessing secrets (passwords, API keys), keys (encryption keys), and certificates. It provides AES-256 encryption at rest, role-based access control, version history, and activation/expiration dates for secrets.

Why use Azure Key Vault instead of app settings for Couchbase credentials?

App settings store values as plaintext and are scoped to a single application. Azure Key Vault encrypts secrets at rest, enables sharing across multiple services, provides version history, and supports granular RBAC. Use Key Vault when credentials are sensitive or shared across multiple Azure services.

Does Couchbase Capella support Azure Key Vault?

Yes. Couchbase Capella supports Customer-Managed Encryption Keys (CMEK) via Azure Key Vault natively. Capella uses your Azure Key Vault key to encrypt cluster data at rest, giving you control over key lifecycle and revocation. CMEK requires the Enterprise plan.

What is Couchbase Capella CMEK?

Customer-Managed Encryption Keys (CMEK) allows Capella to use an encryption key from your own Azure Key Vault (or AWS KMS/GCP KMS) instead of Couchbase-managed keys, for data-at-rest encryption. You control key rotation, geographic storage, and can revoke access at any time.

What Azure Key Vault tier does Capella CMEK require?

Capella CMEK supports both Standard and Premium tiers of Azure Key Vault, including Managed HSM keys. The key must be a 2048-bit, 3072-bit, or 4096-bit RSA symmetric key. The Key Vault must be in the same Azure region as your Capella cluster.

Summary and Next Steps

Azure Key Vault provides a significantly more secure and manageable approach to storing Couchbase credentials than app settings or environment variables. For Azure Functions, use Key Vault references directly in app settings — no custom SDK code required. For Couchbase Capella, native CMEK integration with Azure Key Vault gives you full control over your cluster’s data-at-rest encryption key lifecycle, satisfying enterprise compliance requirements for key management sovereignty.

If you have any questions about this blog post, feel free to leave a comment below or find me on X @mgroves.

If you have a specific technical question about Couchbase, please check out the Couchbase Forums.

Share this article

Author

Matthew D. Groves is a guy who loves to code. It doesn’t matter if it’s C#, jQuery, or PHP: he’ll submit pull requests for anything. He has been coding professionally ever since he wrote a QuickBASIC point-of-sale app for his parent’s pizza shop back in the 90s. He currently works as a Senior Product Marketing Manager for Couchbase. His free time is spent with his family, watching the Reds, and getting involved in the developer community. He is the author of AOP in .NET, Pro Microservices in .NET, a Pluralsight author, and a Microsoft MVP.

Leave a comment

Ready to get Started with Couchbase Capella?

Start building

Check out our developer portal to explore NoSQL, browse resources, and get started with tutorials.

Use Capella free

Get hands-on with Couchbase in just a few clicks. Capella DBaaS is the easiest and fastest way to get started.

Get in touch

Want to learn more about Couchbase offerings? Let us help.