Hi , I have Azure Key Vault integrated with Orchestrator, and was hoping to link it with Get Credential activity to read the client secret directly from the key vault. However, I am facing some challenges.
The behavior is different between environments:
Dev: Key Vault credential shows Username and Password
Prod: It shows only External Name
Please refer to the attached screenshot.
Since Studio is connected only to Dev, we can reference only the Dev asset, and this difference makes it hard to implement the activity across the environments.
Has anyone encountered a similar situation, and how would you recommend we proceed from here?
This behavior is expected when using Azure Key Vault with UiPath Orchestrator.Studio cannot read secrets at design time; only Orchestrator resolves them at runtime.
The correct approach is to use a Credential asset backed by Azure Key Vault with the same asset name across all environments and retrieve it using Get Credential.Even though Prod shows only the External Name, the credential will be correctly resolved during execution.
This is normal when Key Vault is linked. Prod only shows External Name because the secret stays in Key Vault, while Dev asset was created as a standard credential.
Also, Get Credential can’t read Key Vault directly from Studio it only reads Orchestrator assets.
So just reference the asset using External Name in both environments, and it will work at runtime.
Use the same External Name asset reference in both environments
In your workflow, point Get Credential → Asset Name = the Key Vault linked asset (External Name)
Keep the secret value stored only in Key Vault, and let Orchestrator fetch it at runtime
This way the workflow stays the same for Dev & Prod, and you won’t depend on the Dev credential format from Studio.
Prod uses Azure Key Vault read-only credential store (External Name only, mapping to vault secret name), while Dev uses read-write (shows Username/Password).
Fix: In Prod Orchestrator > Credential Stores, recreate as “Azure Key Vault (read-only)” matching Dev config (Vault URI, Directory ID, Client ID, prefix like /data/vault/<Safe> ). Provision secrets in vault with External Name as secret name (username/password).
Studio references Dev asset by name.. Get Credential resolves vault secrets at runtime in both envs. Test Prod deployment to confirm.
Thanks all for the replies. I’ve tried it with the steps mentioned above, but it didn’t work in Prod. It says it fail to read the external name.
I have also checked the external name is the same as client secret name we configured on Azure, not sure what’s the issue and how to fix it. Anyone has any insights ?
Your Prod environment asset is correctly configured as a “read-only” Key Vault credential store asset. It only shows “External Name” because the actual secret value resides securely in Azure Key Vault and is never exposed in the Orchestrator UI or Studio. The “External Name” is used to map the asset to the corresponding secret name in the Key Vault.
The difference happens because in Dev the Key Vault asset is mapped as a Credential (showing username and password), while in Prod it’s mapped as a Secret (showing only External Name).
To handle this consistently, use the Key Vault activities Get Secret to read the secret directly, or align the asset types across environments. This avoids relying on Get Credential.
