A MuleSoft application demonstrating secure integration with Azure Key Vault using OAuth 2.0 client credentials flow for retrieving secrets.
This project showcases how to securely connect to Azure Key Vault from MuleSoft applications to retrieve secrets and sensitive configuration data. It implements industry best practices for authentication, error handling, and secure credential management.
┌─────────────────┐ OAuth 2.0 ┌─────────────────┐
│ MuleSoft App │ ────────────────> │ Azure AD │
│ │ <──────────────── │ │
└─────────────────┘ Access Token └─────────────────┘
│
│ REST API Call
│ (Bearer Token)
▼
┌─────────────────┐
│ Azure Key Vault │
│ │
└─────────────────┘
- Secure Authentication: OAuth 2.0 client credentials flow
- Multiple Operations: List all secrets or retrieve specific secrets
- Environment Configuration: Externalized configuration for different environments
- Error Handling: Comprehensive error handling patterns
- REST API Endpoints: Clean HTTP endpoints for integration
azure-keyvault/
├── src/main/
│ ├── mule/
│ │ └── azure-keyvault-example.xml # Main flow definitions
│ └── resources/
│ ├── config.yaml # Configuration properties
│ └── log4j2.xml # Logging configuration
├── src/test/
│ ├── munit/ # MUnit test files
│ └── resources/
├── exchange-docs/ # API documentation
├── pom.xml # Maven configuration
└── mule-artifact.json # Mule artifact descriptor
- MuleSoft Anypoint Studio 7.x or later
- Mule Runtime 4.9.5+
- Java 17
- Azure subscription with Key Vault access
- Azure AD application registration
# Create resource group
az group create --name mulesoft-rg --location eastus
# Create Key Vault
az keyvault create --name mulesoftkeys --resource-group mulesoft-rg --location eastus
# Add a sample secret
az keyvault secret set --vault-name mulesoftkeys --name ExamplePassword --value "MySecretValue"- Go to Azure Portal → Azure Active Directory → App registrations
- Click "New registration"
- Name:
MuleSoft-KeyVault-App - Account types: "Accounts in this organizational directory only"
- Register the application
- Note the Application (client) ID and Directory (tenant) ID
- Go to "Certificates & secrets" → Generate new client secret
- Copy the secret value immediately (it won't be shown again)
# Grant Key Vault access to your application
az keyvault set-policy --name mulesoftkeys \
--spn <your-client-id> \
--secret-permissions get listSet these environment variables before running the application:
export YOURCLIENTSECRET="your-azure-ad-client-secret"
export YOUR_AZURE_SUBSCRIPTION_ID="your-azure-tenant-id"| Parameter | Description | Example |
|---|---|---|
client_id |
Azure AD Application ID | 0bc6c55f-57e9-4554-8c64-b8f24db92742 |
YourClient_Secret |
Reference to client secret | ${YOURCLIENTSECRET} |
token_url |
Azure AD OAuth token endpoint | https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token |
scope |
Key Vault access scope | https://vault.azure.net/.default |
GET /KeyVault_getSecrets
Lists all secrets available in the Azure Key Vault.
Response Example:
{
"value": [
{
"id": "https://mulesoftkeys.vault.azure.net/secrets/ExamplePassword",
"attributes": {
"enabled": true,
"created": 1640995200,
"updated": 1640995200
}
}
]
}GET /KeyVault_getSecret
Retrieves the ExamplePassword secret from Azure Key Vault.
Response Example:
{
"value": "MySecretValue",
"id": "https://mulesoftkeys.vault.azure.net/secrets/ExamplePassword/version",
"attributes": {
"enabled": true,
"created": 1640995200,
"updated": 1640995200
}
}-
Configure Environment Variables:
export YOURCLIENTSECRET="your-secret-here" export YOUR_AZURE_SUBSCRIPTION_ID="your-tenant-id"
-
Run in Anypoint Studio:
- Import project into Anypoint Studio
- Right-click project → Run As → Mule Application
-
Test the Endpoints:
# List all secrets curl http://localhost:8081/KeyVault_getSecrets # Get specific secret curl http://localhost:8081/KeyVault_getSecret
# Clean and package
mvn clean package
# Run with Maven
mvn mule:run# Deploy to CloudHub
mvn clean package mule:deploy -Dmule.artifact=target/azure-keyvault-1.0.0-SNAPSHOT-mule-application.jar- Build the application JAR
- Upload to Runtime Fabric
- Configure environment variables in deployment settings
- ✅ Never commit secrets to version control
- ✅ Use environment variables for sensitive data
- ✅ Implement proper error handling to avoid information leakage
- ✅ Use HTTPS for all external communications
- ✅ Rotate client secrets regularly
- ✅ Monitor access logs for suspicious activity
- ✅ Apply principle of least privilege for Key Vault permissions
-
Authentication Failed (401)
- Verify client ID and secret are correct
- Check if client secret has expired
- Ensure proper Key Vault permissions
-
Key Vault Access Denied (403)
- Verify the application has
getandlistpermissions - Check if Key Vault access policies are configured correctly
- Verify the application has
-
Network Connectivity Issues
- Verify firewall rules allow HTTPS traffic
- Check DNS resolution for Azure endpoints
- Enable logging in
log4j2.xmlfor debugging - Use Anypoint Monitoring for production deployments
- Set up alerts for authentication failures
- Follow MuleSoft naming conventions
- Use descriptive names for flows and variables
- Implement comprehensive error handling
- Add meaningful log messages for troubleshooting
- Create MUnit tests for each flow
- Test with valid and invalid credentials
- Verify error handling scenarios
- Test network failure scenarios
- Fork the repository
- Create a feature branch (
git checkout -b feature/new-feature) - Follow MuleSoft coding standards
- Add appropriate tests
- Submit a pull request
This project is licensed under the MIT License - see the LICENSE file for details.
For issues and questions:
- Check the troubleshooting section
- Review Azure Key Vault documentation
- Contact the development team