Retrieve Key Vault secrets in Logic App

1. Retrieve Key Vault secrets in Logic App

Welcome back! In the last exercise, we created a Key Vault and stored a secret in it. Now, let’s see how we can access that secret from a Logic App using a simple automated flow. We’re using this Logic App to demonstrate the idea. To fetch the secret, the Logic App first needs permission to access the Key Vault. To do that, we’ll enable something called a System Assigned Managed Identity. We haven’t covered Managed Identities yet but we’ll get to that soon. For now, just understand it allows the Logic App to securely authenticate to Azure services without storing credentials. Let’s head over to the Identity section of the Logic App. We’ll enable System Assigned Identity and grab the Object ID, this is like the app’s identity card. Next, in the Key Vault’s Access Policies, we’ll create a new policy to allow secret access. Under permissions, we’ll grant Get and other secret-related permissions. Then, paste in the Object ID we just copied as the principal. Finish by adding and saving the policy. That’s it for the setup! Now let’s build the Logic App flow. First, we’ll use the trigger When an HTTP request is received. This lets us run the app on demand. Next, insert the action Get Secret from Azure Key Vault. And here’s the cool part the secret we created earlier is already showing up! That’s because we just connected the Logic App’s identity with the Key Vault. Let’s make one quick change. We’ll disable Secure Inputs and Secure Outputs so we can see the secret value during this demo. In real apps, these should stay on for security. Now we’ll save the Logic App, run it, and check the run history. And there it is, the secret value has been fetched successfully from the Key Vault. So that’s how you securely pull secrets from Azure Key Vault into a Logic App using Managed Identity.

2. Let's practice!

Create Your Free Account

or

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.

This exercise is part of the course

Implement Azure Security for Developers

IntermediateSkill Level

5.0+

Start Course for Free

In this chapter, you’ll first get hands-on with Microsoft Entra ID to manage users, groups, and roles in a secure, centralized way. Then, you’ll build a solid foundation in identity management, exploring how authentication, authorization, and service principals work together to control access. Finally, you’ll learn to use Shared Access Signatures to grant limited, time-bound access to storage without exposing sensitive credentials.

Exercise 1: Getting started with Azure security Exercise 2: Microsoft Entra ID overview Exercise 3: Selecting the right security tool Exercise 4: Authentication and authorization in Entra ID Exercise 5: Creating users in Entra ID Exercise 6: Secure access Exercise 7: Authentication vs. authorization Exercise 8: Microsoft identity platform Exercise 9: Application object vs service principal Exercise 10: App-only access scenarios Exercise 11: Shared Access Signatures (SAS)Exercise 12: Choosing the right SAS Exercise 13: Creating a SAS token Exercise 14: Secure vs. insecure SAS practices

In this chapter, you'll build a strong foundation in securing app settings and sensitive data using Azure App Configuration and Key Vault. You’ll explore how to manage configurations, enable feature flags, and safeguard settings using encryption, private endpoints, and managed identities. Moving into Key Vault, you’ll learn how it stores secrets, keys, and certificates, and how to apply authentication and authorization best practices. Finally, you'll examine advanced protections like Soft Delete and Purge Protection to ensure your critical data remains safe and recoverable.

Exercise 1: Azure App configuration Exercise 2: Deploying App Configuration Exercise 3: Storing settings in App Configuration Exercise 4: Classify feature management components Exercise 5: Getting started with Key vault Exercise 6: Classifying keys, secrets, and certificates Exercise 7: Retrieve Key Vault secrets in Logic App

Current Exercise

Exercise 8: Managing secrets in Key Vault Exercise 9: Advanced Key vault settings Exercise 10: Choosing the right authorization model Exercise 11: Soft delete & purge protection

In this part of the course, you’ll begin with Azure Managed Identities, seeing how they let applications access resources securely without managing credentials. You’ll then move into Microsoft Graph, where you’ll explore its unified API and practice queries in Graph Explorer. Finally, you’ll advance to techniques like pagination and batching to handle data more efficiently and build scalable integrations.

Exercise 1: Secure access with managed identities Exercise 2: Managed identities: system vs user assigned Exercise 3: Assigning UAMI for multiple resources Exercise 4: Introduction to Microsoft Graph Exercise 5: Classifying HTTP methods Exercise 6: Exploring data with Graph explorer Exercise 7: Microsoft Graph explorer's quick tour Exercise 8: Advanced usage of Microsoft Graph Exercise 9: Client-side pagination with $top Exercise 10: Match responses to requests