Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,313 questions
How to access Azure Key Vault from on prem ETL pipeline?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 52%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJU%3C/text%3E%3C/svg%3E)
Jaroslav Urban
0
Reputation points
Hello,
I have an on prem VM with Windows Server 2022 that is joined to a local on prem AD domain.
I have a Key Vault in Azure with secrets.
Human users are hybrid and can authenticate to both on prem and Azure AD with their main corporate identities.
I need to some pipelines for ETL and DS prediction that run as a local machine account (not in any AD) or using the local machine identity.
How can the local on prem pipeline retrieve secrets from the Azure KeyVault?
Some of my ideas include: register the local machine in Azure AD? Import an Azure SPN into the local machine or into the local AD DS domain?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 26%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Navya 12,175 Reputation points Microsoft Vendor2024-11-04T19:51:36.1833333+00:00 Thank you for posting this in Microsoft Q&A.
To allow your on-premises Windows Server 2022 VM to retrieve secrets from an Azure Key Vault using a local machine identity, you can utilize Azure's Managed Identities feature.
- Create an Azure AD application and service principal in your Azure AD tenant. This will allow the VM to authenticate to Azure AD and access the Key Vault.
- Grant the service principal access to the Key Vault. You can do this by adding an access policy to the Key Vault that grants the service principal the appropriate permissions (e.g., get, list, set, etc.) for the secrets it needs to access.
- Install the Azure CLI on the on-premises VM and sign in with the service principal credentials. This will allow the VM to authenticate to Azure AD and access the Key Vault using the service principal.
- Use the Azure CLI to retrieve the secrets from the Key Vault. You can use the
az keyvault secret showcommand to retrieve a secret from the Key Vault.
Hope this helps. Do let us know if you any further queries.
Thanks,
Navya
Sign in to comment
Sign in to answer