question

PeterKempkers-1835 avatar image
0 Votes"
PeterKempkers-1835 asked KranthiPakala-MSFT commented

Cannot get Purview to read from Key Vault

I have set up a Key Store with 'Azure role-based access control' and added a secret for SQL Server authentication.

I have created a Purview account, and registered the database

I have granted the 'Key Vault Reader' role to the Purview account in the Key Vault Access Control (IAM) which indicates it can 'Read metadata of key vaults and its certificates, keys, and secrets.'

I've set up the Key Vault connection if Purview Studio and added SQL Authentication credentials

However when I set up the scan with the SQL Authentication credentials I get the error:

Error: (20500) Failed to access the provided secret in Azure key vault. Please grant Purview MSI permissions to get secrets on your key vault. If the error still persists, please make sure the secret actually exists in the key vault.

The secret does exist in the Key Vault.

Have I granted enough to the Purview account or am I missing something?

azure-purview
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

PeterKempkers-1835 avatar image
1 Vote"
PeterKempkers-1835 answered KranthiPakala-MSFT commented

Key Vault Reader role doesn’t allow you to read the secret itself

"Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key materia."

I didn’t scroll enough when it only showed the first part.

The "Key Vault Secrets User" role does allow Purview to read the secret

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for sharing your findings here with community @peterkempkers-1835!

0 Votes 0 ·