question

sachingupta-1921 avatar image
0 Votes"
sachingupta-1921 asked SaurabhSharma-msft commented

not able to access Azure Key Vault from ADF

Hello,

I have created a Key Vault and a Secret token. Provided access policies to the ADF Managed Identity principle.
Now In ADF, when I try to connect to Key Vault using a Web Activity I am getting below error

Get access token from MSI failed for Datafactory ADF-INF, region eu. Please verify resource url is valid and retry. Details: Failed to get MI access token. The error message is: Acquire MI token from AAD failed. ErrorCode: invalid_resource, Message: AADSTS500011: The resource principal named https://kv-xxx.vault.azure.net/ was not found in the tenant named 843e946b-e615-4940-xxxx-xxxx3f7f1353. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. Trace ID: 0c5e5a32-6211-46b4-bc12-565240831d00 Correlation ID: fc1b8ec5-c055-4b94-a5ec-0e8d40748f54 Timestamp: 2021-09-17 03:20:55Z.

I did not understand what the issue is. Can someone please help me on this issue?

Thanks

azure-data-factoryazure-key-vaultazure-managed-identity
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SaurabhSharma-msft avatar image
0 Votes"
SaurabhSharma-msft answered sachingupta-1921 commented

Hi @sachingupta-1921,

Thanks for using Microsoft Q&A !!
I believe you are not passing the correct Resource value to the web activity. You need to pass https://vault.azure.net instead of the passing your actual keyvault name e.g. https://kv-xxx.vault.azure.net/ . I have checked it my end and it works fine. Please find the below gif for your reference where I have used Get Keyvault Secrets Rest API using Managed Identity.
133245-webactivityusingmanagedidentity.gif

Please let me know if you have any questions.

Thanks
Saurabh


Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@SaurabhSharma-msft ...appreciate for your response. That worked for me and now I am getting some other error.

{"error":{"code":"Forbidden","message":"The policy requires the caller 'name=Microsoft.DataFactory/factories;appid=c7fe3ad8-f2eb-45fb-8698-fd0452a3285d;oid=aafc8cc5-f4c9-4925-9bec-7e8a5cc5a43b;iss=https://sts.windows.net/843e946b-e615-4940-90dc-44453f7f1353/' to use on-behalf-of (OBO) flow. For more information on OBO, please see https://go.microsoft.com/fwlink/?linkid=2152310","innererror":{"code":"ForbiddenByPolicy"}}}
Source

Can you please help me on this?

Thanks

0 Votes 0 ·
sachingupta-1921 avatar image
0 Votes"
sachingupta-1921 answered SaurabhSharma-msft commented

@SaurabhSharma-msft .... Hello, you can ignore my comment for another issue. I am able to fix it.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.