Updating secrets in your runner's Key Vault

CloudRadial AutomationAI runner secrets — the AI-provider configuration and the Microsoft 365 credentials — live in a private Azure Key Vault inside your runner's virtual network. This article is for the technician who needs to add or change one of those secrets directly in Azure. It assumes you have access to the Azure subscription where the runner is deployed.

The runner Key Vault is private by design. If you open its firewall to edit a secret, re-lock it as soon as you are done — see Re-Lock the Vault below.

• Before You Start
• Find Your Runner Key Vault
• Grant Yourself the Key Vault Secrets Officer Role
• Allow Your IP Address Through the Vault Firewall
• Add or Change a Secret
• Apply the Change
• Re-Lock the Vault
• Runner Secret Reference

Before You Start

You need two independent things to edit a secret:

• The Key Vault Secrets Officer role on the vault, which lets you read and write secret values
• A network path to the vault. The vault has no public access, so you must either work from a host on the runner virtual network (or a peered/VPN network) or temporarily allow your own IP address through the vault firewall.

The vault is RBAC-mode and private: public network access is disabled and the default network action is deny. The role alone is not enough — without a network path, the portal and PowerShell still cannot reach the vault. A network path alone is not enough either, because writing a secret value requires the role.

Find Your Runner Key Vault

The vault name is stored on every runner Function App as the RUNNER_KV_NAME app setting, so you do not have to memorize it. From a machine signed in with the Az PowerShell module:

$rg  = 'crautomationai-rg'
$app = (Get-AzFunctionApp -ResourceGroupName $rg | Select-Object -First 1).Name
$kv  = (Get-AzFunctionAppSetting -ResourceGroupName $rg -Name $app)['RUNNER_KV_NAME']
$kv

The vault name has the form crrun-<stamp>-kv. Use it as the vault name in the steps below.

Grant Yourself the Key Vault Secrets Officer Role

The vault uses Azure RBAC, so access is granted through role assignments rather than access policies. Assign yourself the Key Vault Secrets Officer role at the vault scope. You need Owner or User Access Administrator on the vault (or its resource group) to assign roles.

In the Azure portal, open the vault and go to Access control (IAM) > Add > Add role assignment, choose Key Vault Secrets Officer, and assign it to your account. Or with PowerShell:

$me = (Get-AzADUser -SignedIn).Id
New-AzRoleAssignment -ObjectId $me -RoleDefinitionName 'Key Vault Secrets Officer' `
  -Scope (Get-AzKeyVault -VaultName $kv).ResourceId

Key Vault Secrets Officer grants read and write on secret values. The runner Function Apps use the read-only Key Vault Secrets User role through their managed identities — leave that assignment in place.

Allow Your IP Address Through the Vault Firewall

Because the vault has no public access and your workstation is not on the runner virtual network, you cannot reach it to edit secrets until you open a path. The safe approach is to allow only your own public IP through the vault firewall while leaving the default action at Deny, so nothing else is exposed and the private endpoint is untouched. Two ways to do this:

• With the installer (recommended). Re-run the runner installer with -OpenKeyVaultToDeployer (and optionally -DeployerIpAddress <ipv4-or-cidr> to skip auto-detection). It enables public access, keeps the default action at Deny, and allow-lists only your IP. It prints the exact re-lock command when it finishes.
• In the portal. Open the vault, go to Networking > Firewalls and virtual networks, select the option to allow access from specific networks, add your client IP under Firewall, and save. Leave the default action at Deny.

Allow a minute for the firewall change to take effect before you try to read or write a secret.

Add or Change a Secret

With the role and a network path in place, add or update the secret using its exact name from the reference below. In the portal, open the vault and go to Objects > Secrets, then use Generate/Import for a new secret, or open an existing secret and create a new version. With PowerShell:

Set-AzKeyVaultSecret -VaultName $kv -Name 'openai-api-key' `
  -SecretValue (Read-Host 'New value' -AsSecureString)

Key Vault keeps prior versions, so updating a secret creates a new current version without deleting the old one.

Apply the Change

The runner Function Apps read these secrets as Key Vault references at startup, so a new value is not picked up until they restart. Restart each runner Function App from its Overview > Restart action in the portal, or restart them all with PowerShell:

foreach ($a in Get-AzFunctionApp -ResourceGroupName $rg) {
  Restart-AzFunctionApp -ResourceGroupName $rg -Name $a.Name -Force
}

Re-Lock the Vault

If you opened the firewall, close it as soon as you are done so the vault returns to private-only. Set public network access back to Disabled (in the portal, the vault's Networking page). The private endpoint and the runner Function Apps keep working because they reach the vault over the virtual network, not the public path. If you used the installer to open the firewall, run the re-lock command it printed.

Runner Secret Reference

These are the secrets you may need to add or change. Use the names exactly as shown.

For switching the AI provider, see the article on choosing the runner AI provider. For the Microsoft 365 credentials, see the article on creating a Microsoft 365 app registration.