This collection demonstrates how to configure and use Azure Key Vault as a secret provider in Bruno, allowing you to securely inject secrets (API keys, credentials, etc.) into your requests without hardcoding them.
Note: Azure Key Vault integration requires Bruno Ultimate License .
- Bruno installed (Golden Edition required)
- An active Azure subscription with a Key Vault created
- A Service Principal (App Registration) with the following Key Vault permissions:
Microsoft.KeyVault/vaults/secrets/read— to read secret valuesMicrosoft.KeyVault/vaults/secrets/readMetadata/action— to list available secrets
- Your Tenant ID, Client ID, and Client Secret (for Account auth)
or Azure CLI installed and logged in (for CLI auth — see CLI Authentication)
Open Bruno and navigate to Preferences from the top-left menu.
-
Go to the Secrets Manager tab in the left sidebar.
-
Click + Add Secret Provider.
-
In the Edit Provider dialog, fill in the following fields:
Field Value Name Any label (e.g. Azure)Secret Manager Azure Key VaultTenant ID Your Azure Tenant ID Client ID Your App Registration Client ID Client Secret Your App Registration Client Secret 
Click Test Provider at the bottom-left of the dialog to verify connectivity. A success message confirms the provider is connected.
Click Save to store the secret provider configuration.
-
Open your collection (e.g. Azure-Vault).
-
Navigate to the Secrets tab.
-
Click the provider dropdown and select Azure Key Vault.
Add a secret row with:
-
Name — a local alias used to reference the secret (e.g.
usebruno) -
Vault Name — the name of your Azure Key Vault (e.g.
sandbox-ci-vault)
Click Save.
Click Fetch Secrets. In the confirmation dialog, choose your authentication method:
-
Account tab — select your configured provider (e.g.
Azure) and click Fetch -
CLI tab — use your active Azure CLI session (see CLI Authentication below)
Once fetched successfully, the Secrets column will display the available keys from your vault (e.g. test, testAzure).
Reference a secret in any request field (headers, body, auth, query params) using the pattern:
{{$secrets.<secret-name>.<key-name>}}
Bruno provides autocomplete as you type {{$secrets.usebruno. — available keys from the vault are suggested inline.
Example — using the test key from the usebruno secret in a request body:
{
"title": "{{$secrets.usebruno.test}}",
"msg": "The API client developers love most"
}The resolved response contains the actual secret value fetched from Azure Key Vault ("title": "secret"):
You can also access secrets programmatically in Pre-request or Post-request scripts:
const secretValue = bru.getSecretVar('<secret-name>.<key-name>');
console.log(secretValue);
// Example: inject an API key into a request header
const apiKey = bru.getSecretVar('usebruno.test');
req.setHeader('Authorization', 'Bearer ' + apiKey);Azure CLI authentication lets you authenticate with Azure Key Vault using your existing az login session — no need to store Tenant ID, Client ID, or Client Secret in Bruno.
-
Install Azure CLI and log in:
az login
-
Follow the browser-based authentication flow.
- Click Fetch Secrets in the collection's Secrets tab.
- In the dialog, switch to the CLI tab.
- Click Test CLI to verify your active session.
- Click Fetch to retrieve secrets from the vault.
This approach avoids storing credentials locally and is the recommended method in CI/CD or shared environments.
Azure-Vault/
├── README.md # This file
├── opencollection.yml # Bruno collection metadata
├── echo-bru.yml # Sample request using $secrets
├── secrets.json # Secret references (vault names, no values)
├── .env # Local environment overrides (git-ignored)
├── .gitignore
├── environments/
└── assets/
├── 01-add-secret-provider.png
├── 02-select-azure-key-vault.png
├── 03-secret-configured.png
├── 04-fetch-secrets-dialog.png
├── 05-secrets-fetched.png
├── 06-secret-autocomplete.png
└── 07-secret-in-request.png
Note:
secrets.jsonstores only vault names — never actual secret values. Values are fetched at runtime from Azure Key Vault.