I have a scenario for using Azure Key vault.
I have stored a refresh token in Key Vault. Retrieved the token from key vault in ADF using the web activity. Call the service provider endpoint to generate the Access Token based on refresh token.
I want to store above generated Access token from ADF to Key Vault. How Can i do that?
I went through many articles but did not find any solution on storing the information generated in ADF to Key Vault.
Any help is much appreciated.
Thanks
You can make Rest API call from Azure Data Factory using web activity to store secret in to Azure Key Vault.
Here is the link for Rest API reference:
Sets a secret in a specified key vault.
The SET operation adds a secret to the Azure Key Vault. If the named secret already exists, Azure Key Vault creates a new version of that secret. This operation requires the secrets/set permission.
Set Secret - REST API (Azure Key Vault)
Learn more about [Key Vault Set Secret Operations].
Related
My requirement is i have to get a set of refresh token and access token from Autodesk api and store it in azure key vault[Using 3 legged authentication where i get refresh and access token based on a code]. Since the refresh token and access tokens expires in 24 hours, i need to get a set of new tokens everyday and store it securely in azure key vault. We are using Azure data factory pipeline for this as per requirement.
For the very first time when the refresh and access token are received we are saving it to the vault manually and from next cycle we will read previous token from vault and call the Autodesk API and retrieve new tokens. All this is done using ADF web activity .
Getting old tokens from key vault is working. But setting new tokens to the vault is failing
I am using Web activity in ADF which calls the rest Azure set secret API for storing the tokens to key vault.
https://myvault.vault.azure.net/secrets/mysecretname?api-version=7.3
While executing this pipeline i am getting following error
Error details
Error code
2108
Troubleshooting guide
Failure type
User configuration issue
Details
{"error":{"code":"BadParameter","message":"Property has invalid value\r\n"}}
Source
Pipeline
pl_renew_refreshtoken_web_to_kv
Not able to understand what is Badparameter and property has invalid value, not much information on the azure documentation.
i have also set Access policy for the service principal for the ADF resource
This issue is resolved.
In the body of web activity, I had to give the value as a json object like {"value":"secretvalue"}. I was giving like value=secretvalue which was causing the issue.
I have explored all related documentation provided by Microsoft and other related blogs to Azure key vault but have been unable to find how to get a Secret from Azure Key Vault using Perl scripting.
Does Microsoft support reading Secret value from Azure Key Vault using Perl?
You can use a REST client such as REST::Client and call the Get Secret endpoint.
For Azure AD authentication you will need to use an Oauth2 library such as Net::OAuth2::AuthorizationServer.
For more information take a look to Authentication in Azure Key Vault.
I'm using the set secret PUT API https://myvault.vault.azure.net/secrets/mysecret/ to either create or update an existing secret in my key vault.
The API calls still work for me for now. I'm wondering if there will be future changes to this API as the documentation for it is no longer available online and there's only mentions of powershell commands?
Please check if you are looking for this document , where you can find in keyvault blade > secrets .
Set-secret
:
PUT {vaultBaseUrl}/secrets/{secret-name}?api-version=7.2
This operation adds a secret to the Azure Key Vault. If it already
exists, Azure Key Vault creates a new version of that secret. Needs
secrets/set permission.
Update-secret :
PATCH {vaultBaseUrl}/secrets/{secret-name}/{secret-version}?api-version=7.2
The UPDATE operation changes specified attributes of an existing
stored secret. This operation requires the secrets/set permission.
Firstly, I am trying to connect my Azure Key Vault to my Encryption at Rest using your Key Management. I followed the guide on MongoDB documentation linkhttps://docs.atlas.mongodb.com/security-azure-kms/
image from MongoDB Atlas Setup
What I've done so far which havn't worked.
I have set up the application and added the client secret, the application has the role "Azure key Vault Reader" assigned to it through the subscription.
I have setup the Key vault under the same subscription as above - with its own resource group to match it. And generated the key.
The key has all the operations.
So I have the Application with Vault Key Reader access and the Key Vault containing the key.
Client(Application) ID is filled with info from the application.
Tenant ID is filled with tenant ID from the application.
Secret is created and stored in the application - is added. (Not the ID)
Subscription ID copied from key vault is added.
Resource group name copied from key vault is added.
Key Vault Name copied from key vault is added.
lastly the Key Identifier is copied from the vault and added.
Still I get this error - is there something wrong with the way I went about it?
I feel I have tried everything combination of setup but it seems like the credentials are setup in a wrong way which I do not understand since it was all copied directly from Azure.
"We were unable to connect to your Azure Key Vault account. Please check your credentials and try again."
"We were unable to connect to your Azure Key Vault account. Please
check your credentials and try again."
As per #Matt Small suggestion in the comment section, if we enable Azure Key Vault logging, we can check if the issue is with wrong credentials or with access policy or network related issue.
If the issue is with access, we can provide the Key Vault Contributor role or add an access policy to get, list permissions for Keys and Secrets for the service principal (App Registration)
As per #Hurup comment, Azure Key Vault Reader role was not enough and the role should not be under Resource Group. Giving the Application higher vault role and setting it under the subscription can resolve the issue
I had the exact same issue. In the end I figured out that I did not have to create the role assignment 'Have an Active Directory Application with the role of Azure key Vault Reader assigned to it.' on the active directory app, but on the Key Vault.
I followed the manual from MongoDb and then in a final step did;
Go to Key Vault
Select key vault
Select Access Control (IAM)
Select Grant access to this resource
Select role Key Vault Reader
Assign access to :User, group, or service principal
+Select Members
Type Application name
Review and assign...
After this I could save the settings on MongoDB to use encryption at rest.
We are using a service principal to create the infra in azure . we want to secure the client secret and for that we are planning to use azure key vault. if we store the client secret in key vault. we would require another service prinicpal to read the secret from the key vault and how do we secure that secret. We want to know how to resolve this and how is it done in enterprise scenario
Thanks