Create a Key Vault with Azure RBAC permission model enabled (set --enable-rbac-authorization true at creation or migrate an existing vault via the portal or CLI)
Assign the Key Vault Secrets Officer or Key Vault Crypto Officer built-in role to administrators, and Key Vault Secrets User or Key Vault Crypto User to applications, scoped to the specific vault or a single secret/key
Create secrets with az keyvault secret set or the SDK; reference them in applications via the vault URI and secret name, never hardcode the value
Create keys (RSA or EC) for encryption or signing operations; use the key identifier URI returned at creation for subsequent operations
Use managed identities for Azure-hosted workloads to authenticate to Key Vault without storing credentials; assign the appropriate RBAC role to the managed identity
Enable soft-delete and purge protection on the vault to protect against accidental or malicious deletion; consult current docs for retention period ranges
Known gotchas
Mixing RBAC and legacy access policies on the same vault is not supported once RBAC mode is enabled; all access must be managed through RBAC role assignments
RBAC assignments propagate with a delay of up to a few minutes; newly assigned roles may not be immediately effective — account for this in automation
Purge protection prevents permanent deletion during the retention window even by vault administrators; plan key lifecycle carefully before enabling
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp