Tutorial: Manage MySQL credentials in Azure Key Vault

You can store the MySQL connection string in Azure Key Vault to ensure that sensitive information is securely managed and accessed only by authorized users or applications. Additionally, any changes to the connection string can be easily updated in the Key Vault without modifying the application code.


  • You need an Azure subscription. If you don't already have a subscription, create a free account before you begin.
  • All access to secrets takes place through Azure Key Vault. For this quickstart, create a key vault using Azure portal, Azure CLI, or Azure PowerShell. Make sure you have the necessary permissions to manage and access the Key Vault.
  • Install .NET or Java or PHP or Python based on the framework you are using for your application.

Add a secret to Key Vault

To add a secret to the vault, follow the steps:

  1. Navigate to your new key vault in the Azure portal
  2. On the Key Vault settings pages, select Secrets.
  3. Select on Generate/Import.
  4. On the Create a secret page, provide the following information:
    • Upload options: Manual.
    • Name: Type a name for the secret. The secret name must be unique within a Key Vault. The name must be a 1-127 character string, starting with a letter and containing only 0-9, a-z, A-Z, and -. For more information on naming, see Key Vault objects, identifiers, and versioning
    • Value: Type a value for the secret. Key Vault APIs accept and return secret values as strings.
    • Leave the other values to their defaults. Select Create.

Once that you receive the message that the secret has been successfully created, you may select on it on the list.

For more information, see About Azure Key Vault secrets

Configure access policies

In the Key Vault settings, configure the appropriate access policies to grant access to the users or applications that need to retrieve the MySQL connection string from the Key Vault. Ensure that the necessary permissions are granted for "Get" operations on secrets.

  1. In the Azure portal, navigate to the Key Vault resource.
  2. Select Access policies, then select Create.
  3. Select the permissions you want under Key permissions, Secret permissions, and Certificate permissions.
  4. Under the Principal selection pane, enter the name of the user, app or service principal in the search field and select the appropriate result. If you're using a managed identity for the app, search for and select the name of the app itself.
  5. Review the access policy changes and select Create to save the access policy.
  6. Back on the Access policies page, verify that your access policy is listed.

Retrieve the MySQL connection string

In your application or script, use the Azure Key Vault SDK or client libraries to authenticate and retrieve the MySQL connection string from the Key Vault. You need to provide the appropriate authentication credentials and access permissions to access the Key Vault. Once you have retrieved the MySQL connection string from Azure Key Vault, you can use it in your application to establish a connection to the MySQL database. Pass the retrieved connection string as a parameter to your database connection code.

Code samples to retrieve connection string

Here are few code samples to retrieve the connection string from the key vault secret.

In this code, we are using Azure SDK for .NET. We define the URI of our Key Vault and the name of the secret (connection string) we want to retrieve. We then create a new DefaultAzureCredential object, which represents the authentication information for our application to access the Key Vault.

using System;
using System.Threading.Tasks;
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;

namespace KeyVaultDemo
    class Program
        static async Task Main(string[] args)
            var kvUri = "https://my-key-vault.vault.azure.net/";
            var secretName = "my-db-conn-string";
            var credential = new DefaultAzureCredential();
            var client = new SecretClient(new Uri(kvUri), credential);

            var secret = await client.GetSecretAsync(secretName);
            var connString = secret.Value;

            Console.WriteLine($"Connection string retrieved: {connString}");

Next steps

Azure Key Vault client libraries