How to access Azure Key Vault from on prem ETL pipeline?

Question

Hello,

I have an on prem VM with Windows Server 2022 that is joined to a local on prem AD domain.

I have a Key Vault in Azure with secrets.

Human users are hybrid and can authenticate to both on prem and Azure AD with their main corporate identities.

I need to some pipelines for ETL and DS prediction that run as a local machine account (not in any AD) or using the local machine identity.

How can the local on prem pipeline retrieve secrets from the Azure KeyVault?

Some of my ideas include: register the local machine in Azure AD? Import an Azure SPN into the local machine or into the local AD DS domain?

Answer 1

Hi @Jaroslav Urban

Thank you for posting this in Microsoft Q&A.

To allow your on-premises Windows Server 2022 VM to retrieve secrets from an Azure Key Vault using a local machine identity, you can utilize Azure's Managed Identities feature.

1. Create an Azure AD application and service principal in your Azure AD tenant. This will allow the VM to authenticate to Azure AD and access the Key Vault.
2. Grant the service principal access to the Key Vault. You can do this by adding an access policy to the Key Vault that grants the service principal the appropriate permissions (e.g., get, list, set, etc.) for the secrets it needs to access.
3. Install the Azure CLI on the on-premises VM and sign in with the service principal credentials. This will allow the VM to authenticate to Azure AD and access the Key Vault using the service principal.
4. Use the Azure CLI to retrieve the secrets from the Key Vault. You can use the az keyvault secret show command to retrieve a secret from the Key Vault.

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya