# Obtaining key vault access credentials The following describes how to obtain access credentials for Azure Key Vault, AWS Secrets Manager, and HashiCorp Key Vault. It comprises the following: 1. [Secret engine accessibility check](#secret-engine-accessibility-check) 2. [Environment variables](#environment-variables) 3. [Azure Key Vault access credentials](https://docs-launchpad.energyweb.org/energy-solutions/digital-spine-by-energy-web/component-guides/ddhub-client-gateway/deployment-guide/preparing-to-set-up-a-client-gateway/obtaining-key-vault-access-credentials/azure-key-vault-access-credentials) 4. [AWS Secrets Manager access credentials](https://docs-launchpad.energyweb.org/energy-solutions/digital-spine-by-energy-web/component-guides/ddhub-client-gateway/deployment-guide/preparing-to-set-up-a-client-gateway/obtaining-key-vault-access-credentials/aws-secrets-manager-access-credentials) 5. [HashiCorp Key Vault access token](https://docs-launchpad.energyweb.org/energy-solutions/digital-spine-by-energy-web/component-guides/ddhub-client-gateway/deployment-guide/preparing-to-set-up-a-client-gateway/obtaining-key-vault-access-credentials/hashicorp-key-vault-access-token) ## Secret engine accessibility check In most cases, the secret engine will be on a private network. Please ensure that the Client GW can access the secret engine if they are not in the same network. ## Environment Variables Below is the complete list of environment variables to enable secrets engine in DDHub Client GW. Only one of its kind is needed depending on the vault of choice. ### Common Environment Variables

Key	Type	Default	Values	Description	Dependency
SECRETS_ENGINE	String	vault	vault aws azure	Key Vault to be used to store secrets	None
SECRET_PREFIX	String	ddhub/		Prefix to identify DDHub secrets from other secrets	None

Key

Type

Default

Values

Description

Dependency

SECRETS_ENGINE

String

vault

aws

azure

Key Vault to be used to store secrets

None

SECRET_PREFIX

String

ddhub/

Prefix to identify DDHub secrets from other secrets

None

### HashiCorp Environment Variables {% hint style="info" %} If `SECRETS_ENGINE` value above is `vault`, use the following environment variables. {% endhint %}

Key	Type	Description	Dependency
VAULT_ENDPOINT	String	URL of the key vault service	SECRETS_ENGINE = vault
VAULT_TOKEN	String	Auth Token to be able to access endpoints of the key vault service	SECRETS_ENGINE = vault

### Azure Key Vault Environment Variables {% hint style="info" %} If `SECRETS_ENGINE` value above is `azure`, use the following environment variables. {% endhint %}

Key	Type	Description	Dependency
AZURE_VAULT_URL	String	Vault URI for the Azure key vault resource	SECRETS_ENGINE = azure
AZURE_CLIENT_ID	String	Client ID for Azure Service Principal with access to the key vault resource	SECRETS_ENGINE = azure
AZURE_CLIENT_SECRET	String	Client Secret key for Azure Service Principal with access to the key vault resource	SECRETS_ENGINE = azure
AZURE_TENANT_ID	String	Tenant ID for Azure Service Principal	SECRETS_ENGINE = azure

### AWS Key Manager Environment Variables {% hint style="info" %} If `SECRETS_ENGINE` value above is `aws`, use the following environment variables. {% endhint %}

Key	Type	Description	Dependency
AWS_REGION	String	Region for AWS Secrets Manager resource	SECRETS_ENGINE = aws
AWS_ACCESS_KEY_ID	String	Access Key ID of IAM user with access to the secret manager	SECRETS_ENGINE = aws
AWS_SECRET_ACCESS_KEY	String	Secret Access Key of IAM user with access to the secret manager	SECRETS_ENGINE = aws