Share via

How to let synapse pipeline identify a value as hexadecimal encoded text

Sakthi 20 Reputation points
2025-01-20T12:03:56.19+00:00

Hello,

I want to sign a JWT token using the signing functionality of Azure Key Vault and have generated a private key.

I want to send a request to the Key Vault from Azure Synapse pipeline's Web component.

The configuration of this web component is as follows:
URL: https://<keyvault name>.vault.azure.net/keys/<key name>/<current version ID>/sign?api-version=7.4

Method: POST

Body: { "alg": "RS256", "value": "<hash/base64url encoded value>" } (tried both options - RS256 hash and Base64URL encode)

Authentication: System-assigned managed identity

Headers: Content-Type application/json

The issue is with the content in the value of the body. The error message I'm getting is -

{"error":{"code":"BadParameter","message":"Invalid length of 'value': 64 bytes. RS256 requires 32 bytes, encoded with base64url."}}

The analysis I have done so far is that the hash function returns a 32 byte hexadecimal value with has 64 characters.

Synapse considers this value as UTF8 encoded text and considers this value as 64 byte (this is checked using dataUri conversion function in the pipeline)

There doesn't seem be a in-built function at the pipeline expression level to let synapse know that this value is not a plain text rather it is a hexadecimal value.

Additionally, I have tried running a SQL command (the value from this command is verified to be correct) from the pipeline to return a VARBINARY value and used this output in the dataUri function which again returned the input to be UTF8.

Is there an option to let Synapse know that the content in the value tag of the Body in the web component is a hexadecimal value.

Thanks

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,359 questions
Azure Synapse Analytics
Azure Synapse Analytics
An Azure analytics service that brings together data integration, enterprise data warehousing, and big data analytics. Previously known as Azure SQL Data Warehouse.
5,149 questions
Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
11,164 questions
0 comments
Accepted answer
  1. Sina Salam 16,446 Reputation points
    2025-01-20T15:56:43.4266667+00:00

    Hello Sakthi,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    From your explanations, I understand that you would like to sign a JWT token using Azure Key Vault from an Azure Synapse pipeline. The issue arises with the encoding of the value in the request body, where the Key Vault expects a 32-byte array encoded in base64url format, but you're encountering an error due to the value being interpreted as 64 bytes.

    To solve this issue, follow the below guides:

    1. Since Azure Synapse pipeline expressions might not support direct conversion, we can use an Azure Function to handle this conversion.
    2. Create an Azure Function that takes a hexadecimal string, converts it to a byte array, and then encodes it to base64url format. The below is a more detailed implementation of the Azure Function: 
         pytho
   import base64
   import json
   import azure.functions as func
   def main(req: func.HttpRequest) -> func.HttpResponse:
    try:
        # Get the hexadecimal value from the request body
        req_body = req.get_json()
        hex_str = req_body.get('hex_value')
        # Convert hex string to bytes
        byte_array = bytes.fromhex(hex_str)
        # Encode bytes to base64url
        base64url_str = base64.urlsafe_b64encode(byte_array).rstrip(b'=').decode('utf-8')
        # Return the base64url encoded string
        return func.HttpResponse(json.dumps({"base64url_value": base64url_str}), status_code=200)
    except Exception as e:
        return func.HttpResponse(f"Error: {str(e)}", status_code=400)
    3. Use the Web activity in Azure Synapse to call the Azure Function and get the base64url encoded value.
    4. Use the output from the Azure Function in the body of your Key Vault signing request.

    For your Synapse Pipeline Configuration, it should look similar to the followings:

    For the Web Activity to Call Azure Function:

    • URL: https://<your-function-app>.azurewebsites.net/api/<function-name>
    • Method: POST
    • Body: { "hex_value": "<your_hexadecimal_value>" }
    • Headers: Content-Type: application/json

    For the Web Activity to Call Key Vault:

    • URL: https://<keyvault_name>.vault.azure.net/keys/<key_name>/<current_version_ID>/sign?api-version=7.4
    • Method: POST
    • Body: { "alg": "RS256", "value": "@{activity('AzureFunctionActivity').output.base64url_value}" }
    • Authentication: System-assigned managed identity
    • Headers: Content-Type: application/json

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.