Store credential in Azure Key Vault

You can store credentials for data stores in an Azure Key Vault. Azure Data Factory retrieves the credentials when executing an activity that uses the data store.

Currently, Dynamics connector, Salesforce connector and a few newly enable connectors support this feature. Expect more coming later. You can check each connector topic on details. For the secret fields which support this feature, you will see a note in the description saying "You can choose to mark this field as a SecureString to store it securely in ADF, or store password in Azure Key Vault and let the copy acitivty pull from there when performing data copy - learn more from Store credentials in Key Vault."

Note

This article applies to version 2 of Data Factory, which is currently in preview. If you are using version 1 of the Data Factory service, which is generally available (GA), see documentation for Data Factory version1.

Prerequisites

This feature relies on the data factory service identity. Learn how it works from Data factory service identity and make sure your data factory have an associated one.

Steps

To reference a credential stored in Azure Key Vault, you need to:

  1. Retrieve data factory service identity by copying the value of "SERVICE IDENTITY APPLICATION ID" generated along with your factory.
  2. Grant the service identity access to your Azure Key Vault. In your key vault -> Access control -> Add -> search this service identity application ID to add at least Reader permission. It allows this designated factory to access secret in key vault.
  3. Create a linked service pointing to your Azure Key Vault. Refer to Azure Key Vault linked service.
  4. Create data store linked service, inside which reference the corresponding secret stored in key vault. Refer to reference credential stored in key vault.

Azure Key Vault linked service

The following properties are supported for Azure Key Vault linked service:

Property Description Required
type The type property must be set to: AzureKeyVault. Yes
baseUrl Specify the Azure Key Vault URL. Yes

Example:

{
    "name": "AzureKeyVaultLinkedService",
    "properties": {
        "type": "AzureKeyVault",
        "typeProperties": {
            "baseUrl": "https://<azureKeyVaultName>.vault.azure.net"
        }
    }
}

Reference credential stored in key vault

The following properties are supported when you configure a field in linked service referencing a key vault secret:

Property Description Required
type The type property of the field must be set to: AzureKeyVaultSecret. Yes
secretName The name of secret in azure key vault. Yes
secretVersion The version of secret in azure key vault.
If not specified, it always uses the latest version of the secret.
If specified, then it sticks to the given version.
No
store Refers to an Azure Key Vault linked service that you use to store the credential. Yes

Example: (see the "password" section)

{
    "name": "DynamicsLinkedService",
    "properties": {
        "type": "Dynamics",
        "typeProperties": {
            "deploymentType": "<>",
            "organizationName": "<>",
            "authenticationType": "<>",
            "username": "<>",
            "password": {
                "type": "AzureKeyVaultSecret",
                "secretName": "<secret name in AKV>",
                "store":{
                    "referenceName": "<Azure Key Vault linked service>",
                    "type": "LinkedServiceReference"
                }
            }
        }
    }
}

Next steps

For a list of data stores supported as sources and sinks by the copy activity in Azure Data Factory, see supported data stores.