Learn the recommended naming convention for Azure Key Vaults: abbreviation, length limits, allowed characters, global uniqueness constraints, and real-world examples.
Check out our full Azure resource names reference for abbreviations and naming rules for all Azure resource types and regions.
Azure Key Vault is a cloud service for securely storing and accessing secrets, encryption keys, and certificates. It provides centralised secret management with fine-grained access control and full audit logging.
Key Vault is an essential security building block in Azure. Whether you're storing database connection strings, API keys, TLS certificates, or cryptographic keys used for data encryption, Key Vault removes secrets from application code and config files and gives you a single, auditable place to manage them across environments.
The Microsoft Cloud Adoption Framework recommends a consistent naming pattern across all resource types. The standard structure is:
<resource-type>-<workload>-<environment>-<region>-<instance>The recommended abbreviation for an Azure Key Vault resource type is:
kvEvery Azure resource type has its own naming rules. Getting these rules wrong causes deployment failures, CI/CD pipeline breaks, and Azure Policy violations. The following rules apply to Azure Key Vault names.
The minimum and maximum length of the key vault name.
3 - 24Key Vault names may only contain alphanumeric characters and hyphens. The name must start with a letter and end with a letter or digit.
a-z, A-Z, 0-9, -Scope determines where a name must be unique. The scope of a key vault is:
GlobalThe name must be globally unique across all Azure customers and subscriptions, because key vault names form part of the public DNS endpoint (e.g. mykeyvault.vault.azure.net).
The examples below follow a <resource-type>-<workload>-<environment>-<region>-<instance> pattern, aligned with Microsoft CAF guidance.
kv-api-prod-we-001Production API secrets vault in West Europekv-shared-dev-eus-001Development shared secrets vault in East USkv-tls-stg-ne-002Staging TLS certificate vault in North Europekv-disk-prod-wusProduction disk encryption vault in West USManually checking this reference before every key vault deployment is error-prone and slow. A better approach is to automate name generation and validation so that compliant names are produced by default and violations are caught before they reach your pipelines.
Clovernance applies all of these rules automatically. Configure your naming convention once, share it across your organization, and generate validated, CAF-compliant names for any resource type in seconds.
Stop cross-referencing naming rules manually. Let Clovernance handle it.