Can Keycloak perform environment variable substitution for a client's credentials?

Support,

I have a client credential that I would like to make available to an environment variable
via a secret (ie: Using Azure) for my realm. Can Keycloak perform environment variable (ie: ${M2M_CLIENT_SECRET} substitution at runtime to
get the actual value?

NOTE: I have verified that I can print the value for the environment variable: M2M_CLIENT_SECRET (ie: using printenv) on Linux machine where Keycloak is runnning.

Here is a snippet from my realm settings:

{
“id”: “69f6642d-6370-4c56-925d-ce3e56e415b8”,
“clientId”: “user-client-m2m”,
“name”: “user-client-m2m”,
“description”: “”,
“rootUrl”: “”,
“adminUrl”: “”,
“baseUrl”: “”,
“surrogateAuthRequired”: false,
“enabled”: true,
“alwaysDisplayInConsole”: false,
“clientAuthenticatorType”: “client-secret”,
“secret”: “${M2M_CLIENT_SECRET}”,
“redirectUris”: [
“/*”
],

Please advise.

Thank you in advance.

To answer your question directly: we use env vars in a config file and it works “at start-time” (“${env.KC_DB_URL}” used in cache-ispn-jdbc-ping.xml). I’m pretty sure that importing realm JSON with env vars works too. However, I don’t think that’s what you’re meaning to ask.
Just to state the obvious: Keycloak’s state isn’t held in a JSON object rather in a database. And AFAIK, Keycloak won’t render env vars from database natively (not that it can’t - I’m just pretty sure it doesn’t).
Do you need the secret to be imported once when the client is created? or is that secret rotating and you expect Keycloak to use it from that env var when needed?
Because if it’s the former, it’s a much easier case that can probably be solved with the JSON import process.