Ensure key vault secrets have content_type set

Error: Key vault secrets do not have content_type set

Bridgecrew Policy ID: BC_AZR_GENERAL_42
Checkov Check ID: CKV_AZURE_114
Severity: LOW

Key vault secrets do not have content_type set


Azure Key Vault is a service for Secrets management to securely store and control access to tokens, passwords, certificates, API keys, and other secrets.
A content type tag helps identify whether a secret is a password, connection string, etc. Different secrets have different rotation requirements. Content type tag should be set on secrets.

Fix - Buildtime


  • Resource: azurerm_key_vault
  • Argument: content_type - (Optional) Specifies the content type for the Key Vault Secret.
resource "azurerm_key_vault" "example" {
  name                       = "examplekeyvault"
  location                   = azurerm_resource_group.example.location
  resource_group_name        = azurerm_resource_group.example.name
  tenant_id                  = data.azurerm_client_config.current.tenant_id
  sku_name                   = "premium"
  soft_delete_retention_days = 7
  + content_type = "text/plain"