Skip to content

feat(secret-sync): add option to disable certificate import in Azure Key Vault sync#5755

Merged
IgorHorta merged 11 commits intomainfrom
igor/eng-4687-add-option-to-disable-certificate-import-in-akv-secret-sync
Mar 22, 2026
Merged

feat(secret-sync): add option to disable certificate import in Azure Key Vault sync#5755
IgorHorta merged 11 commits intomainfrom
igor/eng-4687-add-option-to-disable-certificate-import-in-akv-secret-sync

Conversation

@IgorHorta
Copy link
Copy Markdown
Contributor

@IgorHorta IgorHorta commented Mar 19, 2026

Context

This PR implements a new "Disable Certificate Import" option for Azure Key Vault Secret Sync. When enabled, Infisical will skip importing certificate-backed secrets (those with contentType application/x-pkcs12 or application/x-pem-file) from Azure Key Vault.

Why: Azure Key Vault exposes certificates through the Secrets API, which some users want to filter out to keep their Infisical secrets project focused only on actual secrets rather than certificate objects.

How it works: The filtering happens at the list stage (before fetching individual secret values) using the contentType field returned in the AKV List Secrets API response, avoiding unnecessary API calls.

Related ticket: ENG-4687

Changes

Backend

  • Added contentType?: string field to GetAzureKeyVaultSecret interface to capture certificate type information
  • Created AzureKeyVaultSyncOptionsSchema with disableCertificateImport boolean option
  • Updated base schema builders to accept sync options schemas as parameters
  • Implemented certificate filtering logic in sync functions that respects the new option
  • Added constant documentation for the new option in API docs
  • Updated all three sync operation handlers (create, update, delete) to pass the option to the fetch function

Frontend

  • Updated TAzureKeyVaultSync type to include disableCertificateImport in syncOptions
  • Added disableCertificateImport field to AzureKeyVaultSyncDestinationSchema (optional, defaults to false)
  • Created AzureKeyVaultSyncOptionsFields component with a toggle switch and tooltip
  • Wired the new component into SecretSyncOptionsFields switch statement
  • Fixed Azure Key Vault connection form to make tenantId optional for OAuth method (related fix)

Documentation

  • Updated Azure Key Vault sync configuration guide with description of the new option
  • Updated vault-options.png screenshot to show the new option

Steps to verify the change

  1. Navigate to Organization > App Connections and configure an Azure Key Vault connection
  2. Create a new secret sync with Azure Key Vault as the destination
  3. On the options step, verify the new "Disable Certificate Import" toggle appears
  4. Enable the toggle and create the sync
  5. Verify that certificate objects from Azure Key Vault are not imported into the sync when the option is enabled
  6. Disable the toggle and verify certificates are imported normally

Screenshots

Updated vault-options.png showing the new toggle in the UI configuration screen.

Type

  • Feature
  • Fix
  • Improvement
  • Breaking
  • Docs
  • Chore

Checklist

  • Title follows the conventional commit format
  • Tested locally (pending local testing)
  • Updated docs (Azure Key Vault sync documentation)
  • Updated CLAUDE.md files (not needed for this change)
  • Read the contributing guide

@IgorHorta
feat(secret-sync): add certificate import filtering to Azure Key Vaul…
efc6f9a 
…t sync

Add optional contentType field to GetAzureKeyVaultSecret interface and create
AzureKeyVaultSyncOptionsSchema with disableCertificateImport field. Update the
base schema builders to accept sync options schemas as a parameter, allowing
destination-specific options to be included in create/update sync endpoints.
@IgorHorta
feat(secret-sync): implement certificate filtering logic in Azure Key…
ff6847b 
… Vault sync

Add certificate content type detection to filter out application/x-pkcs12 and
application/x-pem-file secrets when disableCertificateImport option is enabled.
Filtering happens at the list stage before fetching individual secret values,
avoiding unnecessary API calls. Update all three sync operation handlers
(create, update, delete) to pass the option to the fetch function.
@IgorHorta
feat(secret-sync): document disableCertificateImport option in API docs
a0436e7 
Add description for the new AZURE_KEY_VAULT.disableCertificateImport option
in the SecretSyncs constants, making it available for API documentation.
@IgorHorta
feat(secret-sync): add Azure Key Vault sync options types
53eafd9 
Update TAzureKeyVaultSync type to include disableCertificateImport as an
optional field in syncOptions, matching the backend schema.
@IgorHorta
feat(secret-sync): add Azure Key Vault sync options schema
9be5774 
Add disableCertificateImport field to AzureKeyVaultSyncDestinationSchema as
an optional boolean that defaults to false.
@IgorHorta
feat(secret-sync): add Azure Key Vault sync options UI component
e276b6f 
Create AzureKeyVaultSyncOptionsFields component with a toggle switch for the
disableCertificateImport option, including tooltip documentation. Wire it into
SecretSyncOptionsFields switch statement to render for Azure Key Vault syncs.
@IgorHorta
fix(azure-key-vault): make tenantId optional for OAuth connection method
135ae14 
Update oauthSchema to make tenantId optional since OAuth flow doesn't require
it for Azure Key Vault connections. Fix submit button disable logic to properly
allow submission for new OAuth connections.
@IgorHorta
docs(secret-sync): document Disable Certificate Import option
a5f2b4d 
Add documentation for the new Disable Certificate Import option in the
Azure Key Vault sync configuration guide, explaining when and why to enable it.
Update the vault-options.png screenshot to show the new option.
@linear
Copy link
Copy Markdown

linear bot commented Mar 19, 2026

ENG-4687 Add option to disable certificate import in AKV Secret Sync

@maidul98
Copy link
Copy Markdown
Collaborator

maidul98 commented Mar 19, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@IgorHorta
Copy link
Copy Markdown
Contributor Author

IgorHorta commented Mar 19, 2026

@greptile review this!

@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps bot commented Mar 19, 2026
edited
Loading

Greptile Summary

This PR adds a disableCertificateImport option to the Azure Key Vault Secret Sync that, when enabled, filters out certificate-backed secrets (identified by their contentType) from the AKV list response before fetching individual values. The feature is well-documented, follows existing patterns for sync options (schema, UI toggle, type definitions), and correctly addresses the previous review comment by moving the certificate content-type constant to module scope.

Key changes:

  • Backend: New AzureKeyVaultSyncOptionsSchema with disableCertificateImport boolean, filtering applied at list-stage in $getAzureKeyVaultSecrets, option threaded through all three sync operations.
  • Frontend: New AzureKeyVaultSyncOptionsFields toggle component wired into the sync options form; TAzureKeyVaultSync type extended with the new option.
  • Connection form fix: OAuth tenantId made optional (with fallback to "common") and the submit button is now enabled for OAuth even with a clean form — a reasonable UX fix.
  • Documentation: Updated azure-key-vault.mdx and screenshot to describe the new option.

Two issues worth attention:

  1. When disableCertificateImport=true, certificate secrets are excluded from vaultSecrets, so syncSecrets may attempt to PUT Infisical secrets whose names match AKV certificates. AKV rejects such writes, causing SecretSyncError failures for users who previously imported certificates before enabling the option.
  2. In AzureKeyVaultConnectionForm, the Tenant ID <Controller> uses name="credentials.tenantId" for both methods, but oauthSchema defines tenantId at the top level — meaning the value entered in OAuth mode is silently ignored when constructing the OAuth redirect URL (pre-existing issue surfaced by this PR's change).

Confidence Score: 3/5

  • Mostly safe but has a logic gap in the sync direction that can produce sync failures when the option is toggled on an existing sync with previously imported certificates.
  • The schema, UI, and documentation changes are clean and correct. The primary concern is in syncSecrets: by removing certificates from vaultSecrets, Infisical may attempt to push certificate-named secrets to AKV, which AKV rejects. There is also a pre-existing form path mismatch in the OAuth connection form that is surfaced (though not introduced) by this PR.
  • backend/src/services/secret-sync/azure-key-vault/azure-key-vault-sync-fns.ts (sync direction logic) and frontend/src/pages/organization/AppConnections/AppConnectionsPage/components/AppConnectionForm/AzureKeyVaultConnectionForm.tsx (Controller path mismatch for OAuth tenantId).

Important Files Changed

Filename Overview
backend/src/services/secret-sync/azure-key-vault/azure-key-vault-sync-fns.ts Implements certificate filtering via a new disableCertificateImport param; the filter is applied to vaultSecrets before enabled/disabled splits, but when this option is on, syncSecrets will attempt to push Infisical secrets whose names match AKV certificates back to AKV, causing sync failures since AKV rejects writes to certificate-managed secrets.
backend/src/services/secret-sync/azure-key-vault/azure-key-vault-sync-schemas.ts Adds AzureKeyVaultSyncOptionsSchema with the optional disableCertificateImport boolean and correctly threads it through BaseSecretSyncSchema, GenericCreateSecretSyncFieldsSchema, and GenericUpdateSecretSyncFieldsSchema. Schema changes look correct.
backend/src/services/secret-sync/azure-key-vault/azure-key-vault-sync-types.ts Adds optional contentType?: string to the GetAzureKeyVaultSecret interface to capture the certificate content-type field from the AKV list response. Minimal, correct change.
frontend/src/pages/organization/AppConnections/AppConnectionsPage/components/AppConnectionForm/AzureKeyVaultConnectionForm.tsx Makes OAuth tenantId optional and unblocks the submit button for OAuth even when the form is clean. However, the Tenant ID <Controller> is bound to credentials.tenantId for both methods, while oauthSchema defines tenantId at the top level; the value entered in OAuth mode is silently ignored when building the OAuth redirect URL (pre-existing bug surfaced by this change).
frontend/src/components/secret-syncs/forms/SecretSyncOptionsFields/AzureKeyVaultSyncOptionsFields.tsx New component that renders a toggle switch for disableCertificateImport using react-hook-form Controller; follows the same pattern as other sync options fields and looks correct.

Last reviewed commit: "refactor(secret-sync..."

@IgorHorta IgorHorta marked this pull request as ready for review March 19, 2026 00:38
varonix0
varonix0 requested changes Mar 19, 2026
View reviewed changes
@IgorHorta IgorHorta requested a review from varonix0 March 19, 2026 19:10
@IgorHorta IgorHorta merged commit 0d47ac4 into main Mar 22, 2026
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@varonix0 varonix0 varonix0 approved these changes

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@IgorHorta @maidul98 @varonix0