Integrate Azure Key Vault with Service Connector

Note

When you use Service Connector to connect your Key Vault or manage Key Vault connections, Service Connector uses your token to perform the corresponding operations.

This page shows supported authentication methods and clients, and shows sample code you can use to connect Azure Key Vault to other cloud services using Service Connector. You might still be able to connect to Azure Key Vault in other programming languages without using Service Connector. This page also shows default environment variable names and values (or Spring Boot configuration) you get when you create the service connection.

Supported compute services

Service Connector can be used to connect the following compute services to Azure Key Vault:

• Azure App Service
• Azure Functions
• Azure Container Apps
• Azure Spring Apps

Supported authentication types and client types

The table below shows which combinations of client types and authentication methods are supported for connecting your compute service to Azure Key Vault using Service Connector. A “Yes” indicates that the combination is supported, while a “No” indicates that it is not supported.

Client type	System-assigned managed identity	User-assigned managed identity	Secret / connection string	Service principal
.NET	Yes	Yes	No	Yes
Java	Yes	Yes	No	Yes
Java - Spring Boot	Yes	Yes	No	Yes
Node.js	Yes	Yes	No	Yes
Python	Yes	Yes	No	Yes
None	Yes	Yes	No	Yes

This table indicates that all combinations of client types and authentication methods in the table are supported, except for the Secret / connection string method, which is not supported for any of the client types. All client types can use any of the other authentication methods to connect to Azure Key Vault using Service Connector.

Default environment variable names or application properties and sample code

Use the connection details below to connect compute services to Azure Key Vault. For each example below, replace the placeholder texts <vault-name>, <client-ID>, <client-secret>, and <tenant-id> with your Key Vault name, client-ID, client secret and tenant ID. For more information about naming conventions, check the Service Connector internals article.

System-assigned managed identity

SpringBoot client type

Default environment variable name	Description	Example value
azure.keyvault.uri	Your Key Vault endpoint URL	"https://<vault-name>.vault.azure.net/"
azure.keyvault.scope	Your Azure RBAC scope	https://management.azure.com/.default
spring.cloud.azure.keyvault.secret.credential.managed-identity-enabled	Whether to enable managed identity for Spring Cloud Azure version 4.0 and above	true
spring.cloud.azure.keyvault.secret.endpoint	Your Key Vault endpoint URL for Spring Cloud Azure version 4.0 and above	"https://<vault-name>.vault.azure.net/"

Other client types

Default environment variable name	Description	Example value
AZURE_KEYVAULT_SCOPE	Your Azure RBAC scope	https://management.azure.com/.default
AZURE_KEYVAULT_RESOURCEENDPOINT	Your Key Vault endpoint	https://<vault-name>.vault.azure.net/

Sample code

Refer to the steps and code below to connect to Azure Key Vault using a system-assigned managed identity.

.NET

1. Install dependencies.

   dotnet add package Azure.Identity
   dotnet add package Azure.Security.KeyVault.Secrets
   

2. Authenticate using Azure.Identity and get the Azure Key Vault endpoint from the environment variables added by Service Connector. When using the code below, uncomment the part of the code snippet for the authentication type you want to use.

   using Azure.Identity;
   using Azure.Security.KeyVault.Secrets;
   using Azure.Core;
   
   // Uncomment the following lines according to the authentication type.
   // system-assigned managed identity
   // var credential = new DefaultAzureCredential();
   
   // user-assigned managed identity
   // var credential = new DefaultAzureCredential(
   //     new DefaultAzureCredentialOptions
   //     {
   //         ManagedIdentityClientId = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_CLIENTID");
   //     });
   
   // service principal 
   // var tenantId = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_TENANTID");
   // var clientId = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_CLIENTID");
   // var clientSecret = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_CLIENTSECRET");
   // var credential = new ClientSecretCredential(tenantId, clientId, clientSecret);
   
   string endpoint = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_RESOURCEENDPOINT");
   SecretClientOptions options = new SecretClientOptions()
   {
       Retry =
       {
           Delay= TimeSpan.FromSeconds(2),
           MaxDelay = TimeSpan.FromSeconds(16),
           MaxRetries = 5,
           Mode = RetryMode.Exponential
        }
   };
   var client = new SecretClient(new Uri(endpoint), credential, options);
   
   KeyVaultSecret secret = client.GetSecret("<mySecret>");
   

Java

1. Add the following dependencies in your pom.xml file:

   <dependency>
       <groupId>com.azure</groupId>
       <artifactId>azure-security-keyvault-keys</artifactId>
   </dependency>
   <dependency>
       <groupId>com.azure</groupId>
       <artifactId>azure-identity</artifactId>
       <version>1.1.5</version>
   </dependency>
   

2. Authenticate using azure-identity and get the Azure Key Vault endpoint from the environment variables added by Service Connector. When using the code below, uncomment the part of the code snippet for the authentication type you want to use.

   // Uncomment the following lines according to the authentication type.
   // for system-managed identity
   // DefaultAzureCredential credential = new DefaultAzureCredentialBuilder().build();
   
   // for user-assigned managed identity
   // DefaultAzureCredential credential = new DefaultAzureCredentialBuilder()
   //     .managedIdentityClientId(System.getenv("AZURE_KEYVAULT_CLIENTID"))
   //     .build();
   
   // for service principal
   // ClientSecretCredential credential = new ClientSecretCredentialBuilder()
   //   .clientId(System.getenv("AZURE_KEYVAULT_CLIENTID"))
   //   .clientSecret(System.getenv("AZURE_KEYVAULT_CLIENTSECRET"))
   //   .tenantId(System.getenv("AZURE_KEYVAULT_TENANTID"))
   //   .build();
   
   String url = System.getenv("AZURE_KEYVAULT_RESOURCEENDPOINT");
   KeyClient keyClient = new KeyClientBuilder()
       .vaultUrl(url)
       .credential(credential)
       .buildClient();
   

SpringBoot

Refer to Tutorial: Connect Azure Spring Apps to Key Vault using managed identities to set up your Spring application. Two sets of configuration properties are added to Spring Apps by Service Connector, according to Spring Cloud Azure version below 4.0 and above 4.0. For more information, check Migration Guide for 4.0

Python

1. Install dependencies.

   pip install azure-keyvault-keys azure-identity
   

2. Authenticate using azure-identity and get the Azure Key Vault endpoint from the environment variables added by Service Connector. When using the code below, uncomment the part of the code snippet for the authentication type you want to use.

   import os
   from azure.identity import ManagedIdentityCredential, ClientSecretCredential
   from azure.keyvault.keys import KeyClient
   
   # Uncomment the following lines according to the authentication type.
   # system-assigned managed identity
   # cred = ManagedIdentityCredential()
   
   # user-assigned managed identity
   # managed_identity_client_id = os.getenv('AZURE_KEYVAULT_CLIENTID')
   # cred = ManagedIdentityCredential(client_id=managed_identity_client_id)
   
   # service principal
   # tenant_id = os.getenv('AZURE_KEYVAULT_TENANTID')
   # client_id = os.getenv('AZURE_KEYVAULT_CLIENTID')
   # client_secret = os.getenv('AZURE_KEYVAULT_CLIENTSECRET')
   # cred = ClientSecretCredential(tenant_id=tenant_id, client_id=client_id, client_secret=client_secret)
   
   VAULT_URL = os.environ["AZURE_KEYVAULT_RESOURCEENDPOINT"]
   client = KeyClient(vault_url=VAULT_URL, credential=cred)
   

NodeJS

1. Install dependencies.

   npm install @azure/identity
   npm install @azure/keyvault-secrets
   

2. Authenticate using @azure/identity and get the Azure Key Vault endpoint from the environment variables added by Service Connector. When using the code below, uncomment the part of the code snippet for the authentication type you want to use.

   import { DefaultAzureCredential,ClientSecretCredential } from "@azure/identity";
   const { SecretClient } = require("@azure/keyvault-secrets");
   
   // Uncomment the following lines according to the authentication type.
   // for system-assigned managed identity
   // const credential = new DefaultAzureCredential();
   
   // for user-assigned managed identity
   // const clientId = process.env.AZURE_KEYVAULT_CLIENTID;
   // const credential = new DefaultAzureCredential({
   //     managedIdentityClientId: clientId
   // });
   
   // for service principal
   // const tenantId = process.env.AZURE_KEYVAULT_TENANTID;
   // const clientId = process.env.AZURE_KEYVAULT_CLIENTID;
   // const clientSecret = process.env.AZURE_KEYVAULT_CLIENTSECRET;
   // const credential = new ClientSecretCredential(tenantId, clientId, clientSecret);
   
   const url = process.env.AZURE_KEYVAULT_RESOURCEENDPOINT;
   
   const client = new SecretClient(url, credential);
   

Other

For other languages, you can use the connection information that Service Connector sets to the environment variables to connect to Azure Key Vault. For environment variable details, see Integrate Azure Key Vault with Service Connector.

User-assigned managed identity

SpringBoot client type

Default environment variable name	Description	Example value
azure.keyvault.uri	Your Key Vault endpoint URL	"https://<vault-name>.vault.azure.net/"
azure.keyvault.client-id	Your Client ID	<client-ID>
azure.keyvault.scope	Your Azure RBAC scope	https://management.azure.com/.default
spring.cloud.azure.keyvault.secret.credential.managed-identity-enabled	Whether to enable managed identity for Spring Cloud Azure version 4.0 and above	true
spring.cloud.azure.keyvault.secret.endpoint	Your Key Vault endpoint URL for Spring Cloud Azure version 4.0 and above	"https://<vault-name>.vault.azure.net/"
spring.cloud.azure.keyvault.secret.credential.client-id	Your Client ID for Spring Cloud Azure version 4.0 and above	<client-ID>

Other client types

Default environment variable name	Description	Example value
AZURE_KEYVAULT_SCOPE	Your Azure RBAC scope	https://management.azure.com/.default
AZURE_KEYVAULT_RESOURCEENDPOINT	Your Key Vault endpoint	https://<vault-name>.vault.azure.net/
AZURE_KEYVAULT_CLIENTID	Your Client ID	<client-ID>

Sample code

Refer to the steps and code below to connect to Azure Key Vault using a system-assigned managed identity.

.NET

1. Install dependencies.

   dotnet add package Azure.Identity
   dotnet add package Azure.Security.KeyVault.Secrets
   

2. Authenticate using Azure.Identity and get the Azure Key Vault endpoint from the environment variables added by Service Connector. When using the code below, uncomment the part of the code snippet for the authentication type you want to use.

   using Azure.Identity;
   using Azure.Security.KeyVault.Secrets;
   using Azure.Core;
   
   // Uncomment the following lines according to the authentication type.
   // system-assigned managed identity
   // var credential = new DefaultAzureCredential();
   
   // user-assigned managed identity
   // var credential = new DefaultAzureCredential(
   //     new DefaultAzureCredentialOptions
   //     {
   //         ManagedIdentityClientId = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_CLIENTID");
   //     });
   
   // service principal 
   // var tenantId = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_TENANTID");
   // var clientId = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_CLIENTID");
   // var clientSecret = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_CLIENTSECRET");
   // var credential = new ClientSecretCredential(tenantId, clientId, clientSecret);
   
   string endpoint = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_RESOURCEENDPOINT");
   SecretClientOptions options = new SecretClientOptions()
   {
       Retry =
       {
           Delay= TimeSpan.FromSeconds(2),
           MaxDelay = TimeSpan.FromSeconds(16),
           MaxRetries = 5,
           Mode = RetryMode.Exponential
        }
   };
   var client = new SecretClient(new Uri(endpoint), credential, options);
   
   KeyVaultSecret secret = client.GetSecret("<mySecret>");
   

Java

1. Add the following dependencies in your pom.xml file:

   <dependency>
       <groupId>com.azure</groupId>
       <artifactId>azure-security-keyvault-keys</artifactId>
   </dependency>
   <dependency>
       <groupId>com.azure</groupId>
       <artifactId>azure-identity</artifactId>
       <version>1.1.5</version>
   </dependency>
   

2. Authenticate using azure-identity and get the Azure Key Vault endpoint from the environment variables added by Service Connector. When using the code below, uncomment the part of the code snippet for the authentication type you want to use.

   // Uncomment the following lines according to the authentication type.
   // for system-managed identity
   // DefaultAzureCredential credential = new DefaultAzureCredentialBuilder().build();
   
   // for user-assigned managed identity
   // DefaultAzureCredential credential = new DefaultAzureCredentialBuilder()
   //     .managedIdentityClientId(System.getenv("AZURE_KEYVAULT_CLIENTID"))
   //     .build();
   
   // for service principal
   // ClientSecretCredential credential = new ClientSecretCredentialBuilder()
   //   .clientId(System.getenv("AZURE_KEYVAULT_CLIENTID"))
   //   .clientSecret(System.getenv("AZURE_KEYVAULT_CLIENTSECRET"))
   //   .tenantId(System.getenv("AZURE_KEYVAULT_TENANTID"))
   //   .build();
   
   String url = System.getenv("AZURE_KEYVAULT_RESOURCEENDPOINT");
   KeyClient keyClient = new KeyClientBuilder()
       .vaultUrl(url)
       .credential(credential)
       .buildClient();
   

SpringBoot

Refer to Tutorial: Connect Azure Spring Apps to Key Vault using managed identities to set up your Spring application. Two sets of configuration properties are added to Spring Apps by Service Connector, according to Spring Cloud Azure version below 4.0 and above 4.0. For more information, check Migration Guide for 4.0

Python

1. Install dependencies.

   pip install azure-keyvault-keys azure-identity
   

2. Authenticate using azure-identity and get the Azure Key Vault endpoint from the environment variables added by Service Connector. When using the code below, uncomment the part of the code snippet for the authentication type you want to use.

   import os
   from azure.identity import ManagedIdentityCredential, ClientSecretCredential
   from azure.keyvault.keys import KeyClient
   
   # Uncomment the following lines according to the authentication type.
   # system-assigned managed identity
   # cred = ManagedIdentityCredential()
   
   # user-assigned managed identity
   # managed_identity_client_id = os.getenv('AZURE_KEYVAULT_CLIENTID')
   # cred = ManagedIdentityCredential(client_id=managed_identity_client_id)
   
   # service principal
   # tenant_id = os.getenv('AZURE_KEYVAULT_TENANTID')
   # client_id = os.getenv('AZURE_KEYVAULT_CLIENTID')
   # client_secret = os.getenv('AZURE_KEYVAULT_CLIENTSECRET')
   # cred = ClientSecretCredential(tenant_id=tenant_id, client_id=client_id, client_secret=client_secret)
   
   VAULT_URL = os.environ["AZURE_KEYVAULT_RESOURCEENDPOINT"]
   client = KeyClient(vault_url=VAULT_URL, credential=cred)
   

NodeJS

1. Install dependencies.

   npm install @azure/identity
   npm install @azure/keyvault-secrets
   

2. Authenticate using @azure/identity and get the Azure Key Vault endpoint from the environment variables added by Service Connector. When using the code below, uncomment the part of the code snippet for the authentication type you want to use.

   import { DefaultAzureCredential,ClientSecretCredential } from "@azure/identity";
   const { SecretClient } = require("@azure/keyvault-secrets");
   
   // Uncomment the following lines according to the authentication type.
   // for system-assigned managed identity
   // const credential = new DefaultAzureCredential();
   
   // for user-assigned managed identity
   // const clientId = process.env.AZURE_KEYVAULT_CLIENTID;
   // const credential = new DefaultAzureCredential({
   //     managedIdentityClientId: clientId
   // });
   
   // for service principal
   // const tenantId = process.env.AZURE_KEYVAULT_TENANTID;
   // const clientId = process.env.AZURE_KEYVAULT_CLIENTID;
   // const clientSecret = process.env.AZURE_KEYVAULT_CLIENTSECRET;
   // const credential = new ClientSecretCredential(tenantId, clientId, clientSecret);
   
   const url = process.env.AZURE_KEYVAULT_RESOURCEENDPOINT;
   
   const client = new SecretClient(url, credential);
   

Other

For other languages, you can use the connection information that Service Connector sets to the environment variables to connect to Azure Key Vault. For environment variable details, see Integrate Azure Key Vault with Service Connector.

Service principal

SpringBoot client type

Default environment variable name	Description	Example value
azure.keyvault.uri	Your Key Vault endpoint URL	"https://<vault-name>.vault.azure.net/"
azure.keyvault.client-id	Your Client ID	<client-ID>
azure.keyvault.client-key	Your Client secret	<client-secret>
azure.keyvault.tenant-id	Your Tenant ID	<tenant-id>
azure.keyvault.scope	Your Azure RBAC scope	https://management.azure.com/.default
spring.cloud.azure.keyvault.secret.endpoint	Your Key Vault endpoint URL for Spring Cloud Azure version 4.0 and above	"https://<vault-name>.vault.azure.net/"
spring.cloud.azure.keyvault.secret.credential.client-id	Your Client ID for Spring Cloud Azure version 4.0 and above	<client-ID>
spring.cloud.azure.keyvault.secret.credential.client-secret	Your Client secret for Spring Cloud Azure version 4.0 and above	<client-secret>
spring.cloud.azure.keyvault.secret.profile.tenant-id	Your Tenant ID for Spring Cloud Azure version 4.0 and above	<tenant-id>

Other client types

Default environment variable name	Description	Example value
AZURE_KEYVAULT_SCOPE	Your Azure RBAC scope	https://management.azure.com/.default
AZURE_KEYVAULT_RESOURCEENDPOINT	Your Key Vault endpoint	https://<vault-name>.vault.azure.net/
AZURE_KEYVAULT_CLIENTID	Your Client ID	<client-ID>
AZURE_KEYVAULT_CLIENTSECRET	Your Client secret	<client-secret>
AZURE_KEYVAULT_TENANTID	Your Tenant ID	<tenant-id>

Sample code

Refer to the steps and code below to connect to Azure Key Vault using a system-assigned managed identity.

.NET

1. Install dependencies.

   dotnet add package Azure.Identity
   dotnet add package Azure.Security.KeyVault.Secrets
   

2. Authenticate using Azure.Identity and get the Azure Key Vault endpoint from the environment variables added by Service Connector. When using the code below, uncomment the part of the code snippet for the authentication type you want to use.

   using Azure.Identity;
   using Azure.Security.KeyVault.Secrets;
   using Azure.Core;
   
   // Uncomment the following lines according to the authentication type.
   // system-assigned managed identity
   // var credential = new DefaultAzureCredential();
   
   // user-assigned managed identity
   // var credential = new DefaultAzureCredential(
   //     new DefaultAzureCredentialOptions
   //     {
   //         ManagedIdentityClientId = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_CLIENTID");
   //     });
   
   // service principal 
   // var tenantId = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_TENANTID");
   // var clientId = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_CLIENTID");
   // var clientSecret = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_CLIENTSECRET");
   // var credential = new ClientSecretCredential(tenantId, clientId, clientSecret);
   
   string endpoint = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_RESOURCEENDPOINT");
   SecretClientOptions options = new SecretClientOptions()
   {
       Retry =
       {
           Delay= TimeSpan.FromSeconds(2),
           MaxDelay = TimeSpan.FromSeconds(16),
           MaxRetries = 5,
           Mode = RetryMode.Exponential
        }
   };
   var client = new SecretClient(new Uri(endpoint), credential, options);
   
   KeyVaultSecret secret = client.GetSecret("<mySecret>");
   

Java

1. Add the following dependencies in your pom.xml file:

   <dependency>
       <groupId>com.azure</groupId>
       <artifactId>azure-security-keyvault-keys</artifactId>
   </dependency>
   <dependency>
       <groupId>com.azure</groupId>
       <artifactId>azure-identity</artifactId>
       <version>1.1.5</version>
   </dependency>
   

2. Authenticate using azure-identity and get the Azure Key Vault endpoint from the environment variables added by Service Connector. When using the code below, uncomment the part of the code snippet for the authentication type you want to use.

   // Uncomment the following lines according to the authentication type.
   // for system-managed identity
   // DefaultAzureCredential credential = new DefaultAzureCredentialBuilder().build();
   
   // for user-assigned managed identity
   // DefaultAzureCredential credential = new DefaultAzureCredentialBuilder()
   //     .managedIdentityClientId(System.getenv("AZURE_KEYVAULT_CLIENTID"))
   //     .build();
   
   // for service principal
   // ClientSecretCredential credential = new ClientSecretCredentialBuilder()
   //   .clientId(System.getenv("AZURE_KEYVAULT_CLIENTID"))
   //   .clientSecret(System.getenv("AZURE_KEYVAULT_CLIENTSECRET"))
   //   .tenantId(System.getenv("AZURE_KEYVAULT_TENANTID"))
   //   .build();
   
   String url = System.getenv("AZURE_KEYVAULT_RESOURCEENDPOINT");
   KeyClient keyClient = new KeyClientBuilder()
       .vaultUrl(url)
       .credential(credential)
       .buildClient();
   

SpringBoot

Refer to Tutorial: Connect Azure Spring Apps to Key Vault using managed identities to set up your Spring application. Two sets of configuration properties are added to Spring Apps by Service Connector, according to Spring Cloud Azure version below 4.0 and above 4.0. For more information, check Migration Guide for 4.0

Python

1. Install dependencies.

   pip install azure-keyvault-keys azure-identity
   

2. Authenticate using azure-identity and get the Azure Key Vault endpoint from the environment variables added by Service Connector. When using the code below, uncomment the part of the code snippet for the authentication type you want to use.

   import os
   from azure.identity import ManagedIdentityCredential, ClientSecretCredential
   from azure.keyvault.keys import KeyClient
   
   # Uncomment the following lines according to the authentication type.
   # system-assigned managed identity
   # cred = ManagedIdentityCredential()
   
   # user-assigned managed identity
   # managed_identity_client_id = os.getenv('AZURE_KEYVAULT_CLIENTID')
   # cred = ManagedIdentityCredential(client_id=managed_identity_client_id)
   
   # service principal
   # tenant_id = os.getenv('AZURE_KEYVAULT_TENANTID')
   # client_id = os.getenv('AZURE_KEYVAULT_CLIENTID')
   # client_secret = os.getenv('AZURE_KEYVAULT_CLIENTSECRET')
   # cred = ClientSecretCredential(tenant_id=tenant_id, client_id=client_id, client_secret=client_secret)
   
   VAULT_URL = os.environ["AZURE_KEYVAULT_RESOURCEENDPOINT"]
   client = KeyClient(vault_url=VAULT_URL, credential=cred)
   

NodeJS

1. Install dependencies.

   npm install @azure/identity
   npm install @azure/keyvault-secrets
   

2. Authenticate using @azure/identity and get the Azure Key Vault endpoint from the environment variables added by Service Connector. When using the code below, uncomment the part of the code snippet for the authentication type you want to use.

   import { DefaultAzureCredential,ClientSecretCredential } from "@azure/identity";
   const { SecretClient } = require("@azure/keyvault-secrets");
   
   // Uncomment the following lines according to the authentication type.
   // for system-assigned managed identity
   // const credential = new DefaultAzureCredential();
   
   // for user-assigned managed identity
   // const clientId = process.env.AZURE_KEYVAULT_CLIENTID;
   // const credential = new DefaultAzureCredential({
   //     managedIdentityClientId: clientId
   // });
   
   // for service principal
   // const tenantId = process.env.AZURE_KEYVAULT_TENANTID;
   // const clientId = process.env.AZURE_KEYVAULT_CLIENTID;
   // const clientSecret = process.env.AZURE_KEYVAULT_CLIENTSECRET;
   // const credential = new ClientSecretCredential(tenantId, clientId, clientSecret);
   
   const url = process.env.AZURE_KEYVAULT_RESOURCEENDPOINT;
   
   const client = new SecretClient(url, credential);
   

Other

For other languages, you can use the connection information that Service Connector sets to the environment variables to connect to Azure Key Vault. For environment variable details, see Integrate Azure Key Vault with Service Connector.

Next steps

Follow the tutorials listed below to learn more about Service Connector.

Learn about Service Connector concepts