Feature description
Native support for SRE Agent to read secrets and certificates from Key Vaults with the firewall enabled (public network access restricted to selected networks, or private endpoint only).
Currently listed under Known limitations — and notably, it's the only row in that table without a documented control plane alternative.
Use case
Firewall-enabled Key Vault is a baseline security control in most enterprise Azure environments — it's commonly required by internal security policy and compliance frameworks. Without data plane access, SRE Agent cannot access secrets for instance for GitHub authentication using a Key Vault secret or help investigate a meaningful class of incidents.
Example of investigations:
- Expired or soon-to-expire certificates
- Rotated or revoked secrets causing downstream auth failures
- Key Vault access policy / RBAC misconfigurations
- Apps failing to start due to missing or unreadable secrets
These are exactly the kinds of incidents where SRE Agent would add the most value, but today the agent is blind to them when the standard enterprise hardening is applied.
Current workaround
None that scales (or basically have Key Vault public accessabel).
Proposed approach
A few directions, in rough order of preference:
- Native private endpoint support for Key Vault data plane from the agent's managed infrastructure.
- Expanded control plane fallback — even without data plane access, exposing more via ARM (e.g. certificate expiry, secret metadata, recent access policy changes via Activity Logs) would close a large part of the gap and would make the
— in the limitations table go away.
Even a rough roadmap signal on which of these is in scope would help us plan around the limitation.
Feature description
Native support for SRE Agent to read secrets and certificates from Key Vaults with the firewall enabled (public network access restricted to selected networks, or private endpoint only).
Currently listed under Known limitations — and notably, it's the only row in that table without a documented control plane alternative.
Use case
Firewall-enabled Key Vault is a baseline security control in most enterprise Azure environments — it's commonly required by internal security policy and compliance frameworks. Without data plane access, SRE Agent cannot access secrets for instance for GitHub authentication using a Key Vault secret or help investigate a meaningful class of incidents.
Example of investigations:
These are exactly the kinds of incidents where SRE Agent would add the most value, but today the agent is blind to them when the standard enterprise hardening is applied.
Current workaround
None that scales (or basically have Key Vault public accessabel).
Proposed approach
A few directions, in rough order of preference:
—in the limitations table go away.Even a rough roadmap signal on which of these is in scope would help us plan around the limitation.