Share via

How to access the secret of a private Azure Keyvault, if you're using a SHIR in linked service?

Sarath HARIDAS 0 Reputation points
2024-12-12T10:04:00.31+00:00

Hello,

I have a keyvault that's public access disabled. It has secrets that needs to be taken. In the ADF, i have created a linked service for this keyvault so that it can be used to extract the secrets(credentials) inside other linked services. I have also created managed private endpoints for the ADF to access the keyvault as its private. In normal scenario (for eg. linked services of Azure SQL DB using azure integraiton runtime), this works fine and i'm able to access the secrets from this private keyvault. But for self-hosted integration runtime, i'm having trouble in accessing these secrets. If the keyvault is made public, then i'm able to access the secrets. How can i workaround this situation?

PS: Also, this was working easily fine earlier and suddenly stopped working one fine day.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,342 questions
Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
11,048 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. AnnuKumari-MSFT 33,976 Reputation points Microsoft Employee
    2024-12-16T10:34:44.59+00:00

    Hi @Sarath HARIDAS ,

    Welcome to Microsoft Q&A platform and thanks for posting your query here.

    It sounds like you're experiencing an issue with accessing secrets from a private Azure Key Vault using a self-hosted integration runtime (SHIR) in Azure Data Factory.

    Kindly try to whitelist the access (url) to the keyvault in our proxy.

    According to this documentation create-self-hosted-integration-runtime ,

    "Tasks might fail in a self-hosted integration runtime that you installed on a Windows server for which FIPS-compliant encryption is enabled. To work around this problem, you have two options: store credentials/secret values in an Azure Key Vault or disable FIPS-compliant encryption on the server. To disable FIPS-compliant encryption, change the following registry subkey's value from 1 (enabled) to 0 (disabled): HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Enabled. If you use the self-hosted integration runtime as a proxy for SSIS integration runtime, FIPS-compliant encryption can be enabled and will be used when moving data from on premises to Azure Blob Storage as a staging area".

    **

    Hope it helps . Kindly accept the answer by clicking on Accept answer button. Thankyou .

    0 comments
  2. Pinaki Ghatak 5,310 Reputation points Microsoft Employee
    2024-12-16T11:42:33.3766667+00:00

    Hello @Sarath Haridas

    To access the secrets of a private Azure Key Vault using a self-hosted integration runtime (SHIR) in a linked service, you need to configure the access to the Azure Key Vault appropriately.

    First, you need to create a managed private endpoint for the Azure Key Vault and associate it with the SHIR. Then, you need to set the access policy for the Azure Key Vault to allow the SHIR to access the secrets.

    To set the access policy for the Azure Key Vault, you can use Azure PowerShell or Azure CLI. Here are the steps to set the access policy using Azure PowerShell:

    1. Open Azure PowerShell and connect to your Azure account.
    2. Run the following command to set the access policy for the Azure Key Vault: 
    $keyVaultName = 'MySecureVault'
$aadClientID = 'MyAadAppClientID'
$KVRGname = 'MyKeyVaultResourceGroup'
Set-AzKeyVaultAccessPolicy -VaultName $keyVaultName -ServicePrincipalName $aadClientID -PermissionsToKeys 'WrapKey' -PermissionsToSecrets 'Get' -ResourceGroupName $KVRGname

    Replace MySecureVault with the name of your Azure Key Vault, MyAadAppClientID with the client ID of the SHIR, and MyKeyVaultResourceGroup with the name of the resource group that contains the Azure Key Vault.

    After setting the access policy, you should be able to access the secrets from the private Azure Key Vault using the SHIR in the linked service.

    If you are still having trouble accessing the secrets, you can check the following:

    • Make sure that the SHIR is associated with the managed private endpoint for the Azure Key Vault.
    • Make sure that the access policy for the Azure Key Vault is set correctly to allow the SHIR to access the secrets.
    • Check if there are any network or firewall issues that might be blocking the access to the Azure Key Vault.

    I hope that this response has addressed your query and helped you overcome your challenges. If so, please mark this response as Answered. This will not only acknowledge our efforts, but also assist other community members who may be looking for similar solutions.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.