Skip to main content
AL-Go for GitHub supports Azure KeyVault for centralized secret management, allowing you to store sensitive credentials like authentication contexts and tokens securely in Azure instead of GitHub.

Benefits of Azure KeyVault

Centralized Management

Store all secrets in one secure location accessible across repositories

Enhanced Security

Use Azure’s enterprise-grade security features and HSM support

Audit & Compliance

Track secret access and meet compliance requirements

Prerequisites

Before integrating Azure KeyVault with AL-Go, ensure you have:
  • Completed AL-Go repository setup
  • An Azure KeyVault instance created
  • Azure Active Directory app registration with KeyVault access
  • Appropriate permissions to configure service principals
If you need Hardware Security Module (HSM) support, you must use a Premium SKU KeyVault. See Microsoft’s documentation for more information.

Setup Overview

Integrating Azure KeyVault with AL-Go involves two main steps:
  1. Create Azure service principal - Set up authentication between GitHub and Azure
  2. Configure AL-Go settings - Connect your repository to the KeyVault

Step 1: Create Service Principal

Follow Microsoft’s guide on connecting from GitHub to Azure to create a service principal with KeyVault access.
1

Create App Registration

In Azure Portal, create a new App Registration:
  • Navigate to Azure Active Directory > App registrations
  • Click “New registration”
  • Name your application (use a verified domain, e.g., https://myapp.mydomainname.com)
  • Select appropriate account type
2

Create Client Secret

Generate a client secret for the app registration:
  • Open your app registration
  • Go to “Certificates & secrets”
  • Create a new client secret
  • Copy the secret value (you won’t be able to see it again)
3

Grant KeyVault Access

Assign permissions to access your KeyVault:
  • Open your KeyVault in Azure Portal
  • Go to “Access policies”
  • Add access policy with “Get” and “List” secret permissions
  • Select the service principal you created
  • Save the access policy
4

Create AZURE_CREDENTIALS JSON

Build the authentication JSON with the following structure:
{
  "clientId": "<your-client-id>",
  "clientSecret": "<your-client-secret>",
  "tenantId": "<your-tenant-id>",
  "subscriptionId": "<your-subscription-id>",
  "keyVaultName": "<your-keyvault-name>"
}
Compress this JSON (remove whitespace) before adding it as a secret.

Step 2: Configure GitHub Repository

Once your Azure resources are ready, configure your GitHub repository to use KeyVault.
1

Add AZURE_CREDENTIALS Secret

Add the compressed JSON from Step 1 as a repository secret:
  • Go to your repository Settings > Secrets and variables > Actions
  • Click “New repository secret”
  • Name: AZURE_CREDENTIALS
  • Value: The compressed JSON containing service principal details and KeyVault name
2

Optional: Add KeyVault Name to Settings

Alternatively, you can specify the KeyVault name in .github/AL-Go-Settings.json:
{
  "keyVaultName": "<your-keyvault-name>"
}
If specified in settings, you don’t need to include keyVaultName in the AZURE_CREDENTIALS JSON.

Migrating Secrets to KeyVault

Move your existing GitHub secrets to Azure KeyVault for centralized management.
1

Add Secrets to KeyVault

Transfer your GitHub secrets to Azure KeyVault:
  1. Navigate to your KeyVault in Azure Portal
  2. Go to “Secrets” section
  3. Click “Generate/Import”
  4. Add each secret with the same name used in GitHub
2

Remove GitHub Secrets

After confirming KeyVault access works, remove the secrets from:
  • Repository secrets (Settings > Secrets and variables > Actions)
  • Environment secrets (Settings > Environments > [environment] > Secrets)
Test KeyVault integration before removing GitHub secrets to ensure continuity.

Common Secrets to Store

These are typical secrets to migrate to Azure KeyVault:
authContext
  • Business Central environment authentication
  • Format: Compressed JSON with authentication details
  • Used by: Deployment workflows
[Environment]_AuthContext
  • Environment-specific authentication contexts
  • Format: Compressed JSON
  • Used by: Deploy to specific environments

Verification

Verify that AL-Go can successfully access secrets from Azure KeyVault.
1

Run CI/CD Pipeline

Trigger a CI/CD workflow to test basic KeyVault integration:
  • Push a commit or manually trigger the workflow
  • Monitor the workflow execution for authentication success
  • Verify that builds and tests complete without authentication errors
2

Test Deployment

If you migrated deployment secrets, test environment deployment:
  • Trigger a deployment to a configured environment
  • Verify the workflow retrieves authContext from KeyVault
  • Confirm successful deployment to target environment
3

Test AL-Go Updates

Run “Update AL-Go System Files” to verify ghTokenWorkflow access:
  • Navigate to Actions > Update AL-Go System Files
  • Run the workflow
  • Verify it can access the token from KeyVault
  • Confirm successful completion

Secret Naming Conventions

AL-Go looks for secrets in this order:
  1. Environment secrets (if deploying to a specific GitHub environment)
  2. Repository secrets
  3. Azure KeyVault secrets (if AZURE_CREDENTIALS is configured)
Secret names in KeyVault should match exactly the names AL-Go expects (e.g., authContext, ghTokenWorkflow). Secret names are case-sensitive.

KeyVault Secret Format Examples

authContext Secret

{
  "tenantID": "<your-tenant-id>",
  "clientID": "<your-client-id>",
  "clientSecret": "<your-client-secret>",
  "scopes": "https://api.businesscentral.dynamics.com/.default",
  "authority": "https://login.microsoftonline.com"
}

ghTokenWorkflow Secret

ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Store just the token value as a string, not as JSON.

Advanced Configuration

Multiple KeyVaults

You can use different KeyVaults for different purposes: 
{
  "keyVaultName": "<default-keyvault>",
  "environments": ["Production", "Staging"],
  "DeployToProduction": {
    "keyVaultName": "<production-keyvault>"
  },
  "DeployToStaging": {
    "keyVaultName": "<staging-keyvault>"
  }
}

KeyVault with Firewall

If your KeyVault has network restrictions:
  • Ensure GitHub Actions IP ranges are allowed
  • Or use a self-hosted runner within your network
  • Configure KeyVault firewall to allow your runner’s IP addresses

Managed Identity (Self-Hosted Runners)

For self-hosted runners in Azure, you can use Managed Identity instead of service principal:
1

Enable Managed Identity

Enable system-assigned managed identity on your runner VM in Azure Portal.
2

Grant KeyVault Access

Add the managed identity to your KeyVault access policies with appropriate permissions.
3

Configure AL-Go

Add KeyVault name to settings (AZURE_CREDENTIALS not needed when using Managed Identity):
{
  "keyVaultName": "<your-keyvault-name>",
  "useAzureManagedIdentity": true
}

Troubleshooting

Verify:
  • Service principal credentials are correct in AZURE_CREDENTIALS
  • Service principal has access policy in KeyVault
  • KeyVault name is correct
  • Tenant ID and subscription ID are correct
Check:
  • Secret name exactly matches what AL-Go expects (case-sensitive)
  • Secret exists in the specified KeyVault
  • Access policy grants “Get” permission for secrets
Investigate:
  • KeyVault firewall settings
  • GitHub Actions IP ranges if using firewall restrictions
  • Self-hosted runner network connectivity to Azure
Remember:
  • GitHub secrets take precedence over KeyVault
  • Remove GitHub secrets after confirming KeyVault works
  • Environment secrets override repository secrets

Security Best Practices

1

Use Least Privilege

Grant only necessary permissions:
  • KeyVault: Only “Get” and “List” for secrets
  • Service principal: Only KeyVault access, no broader permissions
2

Rotate Secrets Regularly

Implement secret rotation:
  • Set expiration dates on client secrets
  • Rotate service principal credentials periodically
  • Update KeyVault secrets when rotating credentials
3

Enable Audit Logging

Monitor KeyVault access:
  • Enable Azure Monitor for KeyVault
  • Review access logs regularly
  • Set up alerts for suspicious activity
4

Use Premium SKU for HSM

For sensitive workloads:
  • Use Premium KeyVault with HSM support
  • Store encryption keys in HSM-backed keys
  • Implement key versioning

Next Steps

Enable Telemetry

Monitor KeyVault access and workflow performance

Self-Hosted Runners

Use managed identity with Azure-hosted runners

Build docs developers (and LLMs) love

Get started for freeTalk to us