data factory managed identity is not being identified as a trusted service by keyvault

Reyes Monsalve, Ruben Dario 31 Reputation points
2024-07-23T21:23:39.3533333+00:00

We have an issue with an ADF pipeline, when attempting to reach a secret from a KV in the same RG, the connection fails with the following error:

 

"Client address is not authorized, and caller is not a trusted service"

 

The setup is made following Microsoft documentation:

 

https://learn.microsoft.com/en-us/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities,

 

The linked services created in the ADF that use secrets work just fine.

 

The same pipeline works in a different service name (RG and subscription), with the same FW setup and similar access to keyvault meaning that the ADF managed identify is setup in the same way that is indicated in the link above.

 

If FW from Keyvault is disabled it works just fine.

 

Any ideas? Could you help us with it?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,322 questions
Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
10,923 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Reyes Monsalve, Ruben Dario 31 Reputation points
    2024-09-10T15:38:56.44+00:00

    Hi team,

    Issue was solved, the problem faced occurred due to a security patch included in all new created ADFs starting on March, this is preventing to make the connection described. the following is MS description of it:

    We have applied a security update that affects Azure Data Factory and Web Activity. You are impacted because you are using Azure Data Factory’s or Azure Synapse Analytics's self-hosted integration runtime (SHIR), Azure-SSIS Integration Runtime (Azure-SSIS IR), Rest linked service or Web activity to access Azure Storage account * or Azure Key Vault with a managed identity and firewall exception for trusted service. We have made security changes to improve the product, and this impacts some scenarios as described below.

    Impacted Scenarios:

    1 person found this answer helpful.

  2. Pinaki Ghatak 4,840 Reputation points Microsoft Employee
    2024-07-24T08:52:17.5533333+00:00

    Hello @Reyes Monsalve, Ruben Dario

    It seems like the issue is related to the firewall settings of the Key Vault.

    The error message "Client address is not authorized, and caller is not a trusted service" indicates that the request is being blocked by the Key Vault firewall.

    To resolve this issue, you need to add the IP address of the Azure Data Factory to the Key Vault firewall. You can do this by following these steps:

    1. Go to the Azure portal and navigate to the Key Vault that you are using.
    2. Click on the "Firewalls and virtual networks" tab.
    3. Under the "Allow access from" section, select "Selected networks".
    4. Click on the "Add existing virtual network" button and select the virtual network that your Azure Data Factory is using.
    5. Click on the "Add IP address" button and add the IP address of the Azure Data Factory. Once you have added the IP address of the Azure Data Factory to the Key Vault firewall, the pipeline should be able to access the secrets without any issues.

    If you are still facing issues, you can try disabling the firewall temporarily to see if the pipeline is able to access the secrets. If it works, then you can re-enable the firewall and add the necessary IP addresses to the firewall rules.

    I hope this helps! Let me know if you have any further questions.


    I hope that this response has addressed your query and helped you overcome your challenges. If so, please mark this response as Answered. This will not only acknowledge our efforts, but also assist other community members who may be looking for similar solutions.


  3. Marilee Turscak-MSFT 36,906 Reputation points Microsoft Employee
    2024-08-01T19:02:41.54+00:00

    Hi @Reyes Monsalve, Ruben Dario ,

    You mention that the access works if you disable the firewall, so this indicates that the Microsoft service need to be allowed in the network. If you have disabled public access, you still need to leave "Allow trusted Microsoft services to bypass this firewall" on, and to allow Microsoft services you mention to have access. Or you can create a private endpoint, and add the Key Vault to your private virtual network.

    You also need to grant permission to the service you use to access the Key Vault (with the managed identity)


  4. Darren Collard 0 Reputation points
    2024-09-10T15:23:10.2033333+00:00

    Hi @Reyes Monsalve, Ruben Dario,

    Are you using a Public AutoResolveIntegrationRuntime under Settings / Advanced in the Web activity? Try changing to use either a Self Hosted IR, or Azure IR in a Managed Virtual Network which should be trusted.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.