Store credential in Azure Key Vault

You can store credentials for data stores and computes in an Azure Key Vault. Azure Data Factory retrieves the credentials when executing an activity that uses the data store/compute.

Currently, all activity types except custom activity support this feature. For connector configuration specifically, check the "linked service properties" section in each connector topic for details.

Prerequisites

This feature relies on the data factory service identity. Learn how it works from Data factory service identity and make sure your data factory have an associated one.

Tip

In Azure Key Vault, when you create a secret, put the entire value of a secret property that ADF linked service asks for (e.g. connection string/password/service principal key/etc). For example, for Azure Storage linked service, put DefaultEndpointsProtocol=http;AccountName=myAccount;AccountKey=myKey; as AKV secret, then reference in "connectionString" field from ADF; for Dynamics linked service, put myPassword as AKV secret, then reference in "paassword" field from ADF. Refer to each connector/compute article on supported property details.

Steps

To reference a credential stored in Azure Key Vault, you need to:

  1. Retrieve data factory service identity by copying the value of "SERVICE IDENTITY APPLICATION ID" generated along with your factory. If you use ADF authoring UI, the service identity ID will be shown on the Azure Key Vault linked service creation window; you can also retrieve it from Azure portal, refer to Retrieve data factory service identity.
  2. Grant the service identity access to your Azure Key Vault. In your key vault -> Access policies -> Add new -> search this service identity application ID to grant Get permission in Secret permissions dropdown. It allows this designated factory to access secret in key vault.
  3. Create a linked service pointing to your Azure Key Vault. Refer to Azure Key Vault linked service.
  4. Create data store linked service, inside which reference the corresponding secret stored in key vault. Refer to reference secret stored in key vault.

Azure Key Vault linked service

The following properties are supported for Azure Key Vault linked service:

Property Description Required
type The type property must be set to: AzureKeyVault. Yes
baseUrl Specify the Azure Key Vault URL. Yes

Using authoring UI:

Click Connections -> Linked Services -> +New -> search for "Azure Key Vault":

Search AKV

Select the provisioned Azure Key Vault where your credentials are stored. You can do Test Connection to make sure your AKV connection is valid.

Configure AKV

JSON example:

{
    "name": "AzureKeyVaultLinkedService",
    "properties": {
        "type": "AzureKeyVault",
        "typeProperties": {
            "baseUrl": "https://<azureKeyVaultName>.vault.azure.net"
        }
    }
}

Reference secret stored in key vault

The following properties are supported when you configure a field in linked service referencing a key vault secret:

Property Description Required
type The type property of the field must be set to: AzureKeyVaultSecret. Yes
secretName The name of secret in azure key vault. Yes
secretVersion The version of secret in azure key vault.
If not specified, it always uses the latest version of the secret.
If specified, then it sticks to the given version.
No
store Refers to an Azure Key Vault linked service that you use to store the credential. Yes

Using authoring UI:

Select Azure Key Vault for secret fields while creating the connection to your data store/compute. Select the provisioned Azure Key Vault Linked Service and provide the Secret name. You can optionally provide a secret version as well.

Configure AKV secret

JSON example: (see the "password" section)

{
    "name": "DynamicsLinkedService",
    "properties": {
        "type": "Dynamics",
        "typeProperties": {
            "deploymentType": "<>",
            "organizationName": "<>",
            "authenticationType": "<>",
            "username": "<>",
            "password": {
                "type": "AzureKeyVaultSecret",
                "secretName": "<secret name in AKV>",
                "store":{
                    "referenceName": "<Azure Key Vault linked service>",
                    "type": "LinkedServiceReference"
                }
            }
        }
    }
}

Next steps

For a list of data stores supported as sources and sinks by the copy activity in Azure Data Factory, see supported data stores.