Partilhar via


Azure Key Vault

Azure Key Vault is a service to securely store and access secrets.

This connector is available in the following products and regions:

Service Class Regions
Logic Apps Standard All Logic Apps regions
Power Automate Premium All Power Automate regions
Power Apps Premium All Power Apps regions
Connector Metadata
Publisher Microsoft
Website https://azure.microsoft.com/services/key-vault/

Known issues and limitations

  1. The actions to get secrets and to get keys return maximum 25 items.

Known limitations with Microsoft Entra ID authentication

Due to current authentication pipeline limitations, Microsoft Entra ID guest users aren't supported for Microsoft Entra ID connections to Azure Key Vault. To resolve this problem, use Service principal authentication instead.

Creating a connection

The connector supports the following authentication types:

Bring your own application Sign in with your own Azure Active Directory registerted application. Integration service environments (ISE) only Not shareable
Client Certificate Auth Provide Microsoft Entra ID credentials using PFX certificate and password All regions Shareable
Default Azure AD application for OAuth Sign in with the default Azure Active Directory application. Azure Government and Department of Defense (DoD) in Azure Government and MOONCAKE and US Government (GCC) and US Government (GCC-High) only Not shareable
Default Microsoft Entra ID application for OAuth Sign in with the default Microsoft Entra ID application. All regions except Azure Government and Department of Defense (DoD) in Azure Government and MOONCAKE and US Government (GCC) and US Government (GCC-High) Not shareable
Service principal authentication Use your Microsoft Entra ID application for service principal authentication. All regions except Azure Government and Department of Defense (DoD) in Azure Government and MOONCAKE and US Government (GCC) and US Government (GCC-High) Not shareable
Service principal authentication Use your Azure Active Directory application for service principal authentication. Azure Government and Department of Defense (DoD) in Azure Government and MOONCAKE and US Government (GCC) and US Government (GCC-High) only Not shareable
Default [DEPRECATED] This option is only for older connections without an explicit authentication type, and is only provided for backward compatibility. All regions Not shareable

Bring your own application

Auth ID: oauthBYOA

Applicable: Integration service environments (ISE) only

Sign in with your own Azure Active Directory registerted application.

This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.

Name Type Description Required
Vault name string The name for the key vault. True
Tenant ID string The tenant ID for your Azure Active Directory application. True
Client ID string The client or application ID for your Azure Active Directory application. True
Client secret securestring The client secret for your Azure Active Directory application. True

Client Certificate Auth

Auth ID: CertOauth

Applicable: All regions

Provide Microsoft Entra ID credentials using PFX certificate and password

This is shareable connection. If the power app is shared with another user, connection is shared as well. For more information, please see the Connectors overview for canvas apps - Power Apps | Microsoft Docs

Name Type Description Required
Vault name string The name for the key vault. True
Client ID string The client ID of for the Microsoft Entra ID application
Tenant string True
Client certificate secret clientCertificate The client certificate secret allowed by this application True

Default Azure AD application for OAuth

Auth ID: oauthDefault

Applicable: Azure Government and Department of Defense (DoD) in Azure Government and MOONCAKE and US Government (GCC) and US Government (GCC-High) only

Sign in with the default Azure Active Directory application.

This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.

Name Type Description Required
Tenant ID string The tenant ID for your Azure Active Directory application.
Key vault name string Name for the key vault. True

Default Microsoft Entra ID application for OAuth

Auth ID: oauthDefault

Applicable: All regions except Azure Government and Department of Defense (DoD) in Azure Government and MOONCAKE and US Government (GCC) and US Government (GCC-High)

Sign in with the default Microsoft Entra ID application.

This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.

Name Type Description Required
Key vault name string Name for the key vault. True

Service principal authentication

Auth ID: oauthServicePrincipal

Applicable: All regions except Azure Government and Department of Defense (DoD) in Azure Government and MOONCAKE and US Government (GCC) and US Government (GCC-High)

Use your Microsoft Entra ID application for service principal authentication.

This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.

Name Type Description Required
Client ID string True
Client secret securestring True
Tenant ID string True
Key vault name string True

Service principal authentication

Auth ID: oauthServicePrincipal

Applicable: Azure Government and Department of Defense (DoD) in Azure Government and MOONCAKE and US Government (GCC) and US Government (GCC-High) only

Use your Azure Active Directory application for service principal authentication.

This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.

Name Type Description Required
Client ID string True
Client secret securestring True
Tenant ID string True
Key vault name string True

Default [DEPRECATED]

Applicable: All regions

This option is only for older connections without an explicit authentication type, and is only provided for backward compatibility.

This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.

Name Type Description Required
Key Vault name string The name for the key vault. True

Throttling Limits

Name Calls Renewal Period
API calls per connection 2000 60 seconds

Actions

Decrypt data with key

Decrypt data using the latest version of a key. Output of this operation is typically classified as secret and can be visible in the run history.

Decrypt data with key version

Decrypt data using a specific version of a key. Output of this operation is typically classified as secret and can be visible in the run history.

Encrypt data with key

Encrypt data using the latest version of a key.

Encrypt data with key version

Encrypt data using a specific version of a key.

Get key metadata

Gets metadata of a key.

Get key version metadata

Gets metadata of a version of a key.

Get secret

Gets a secret. Output of this operation is typically classified as secret and can be visible in the run history.

Get secret metadata

Gets metadata of a secret.

Get secret version

Gets a version of a secret. Output of this operation is typically classified as secret and can be visible in the run history.

Get secret version metadata

Gets metadata of a version of a secret.

List key versions

List versions of a key.

List keys

List keys.

List secret versions

List versions of a secret.

List secrets

List secrets.

Decrypt data with key

Decrypt data using the latest version of a key. Output of this operation is typically classified as secret and can be visible in the run history.

Parameters

Name Key Required Type Description
Name of the key
keyName True string

Name of the key.

Algorithm
algorithm True string

Algorithm to use for decrypting the data

Encrypted data
encryptedData True string

Data to decrypt

Returns

Result of decryption operation

Decrypt data with key version

Decrypt data using a specific version of a key. Output of this operation is typically classified as secret and can be visible in the run history.

Parameters

Name Key Required Type Description
Name of the key
keyName True string

Name of the key.

Version of the key
keyVersion True string

Version of the key.

Algorithm
algorithm True string

Algorithm to use for decrypting the data

Encrypted data
encryptedData True string

Data to decrypt

Returns

Result of decryption operation

Encrypt data with key

Encrypt data using the latest version of a key.

Parameters

Name Key Required Type Description
Name of the key
keyName True string

Name of the key.

Algorithm
algorithm True string

Algorithm to use for encrypting the data

Raw data
rawData True string

Data to encrypt

Returns

Result of encryption operation

Encrypt data with key version

Encrypt data using a specific version of a key.

Parameters

Name Key Required Type Description
Name of the key
keyName True string

Name of the key.

Version of the key
keyVersion True string

Version of the key.

Algorithm
algorithm True string

Algorithm to use for encrypting the data

Raw data
rawData True string

Data to encrypt

Returns

Result of encryption operation

Get key metadata

Gets metadata of a key.

Parameters

Name Key Required Type Description
Name of the key
keyName True string

Name of the key.

Returns

Metadata of a key

Get key version metadata

Gets metadata of a version of a key.

Parameters

Name Key Required Type Description
Name of the key
keyName True string

Name of the key.

Version of the key
keyVersion True string

Version of the key.

Returns

Metadata of a key

Get secret

Gets a secret. Output of this operation is typically classified as secret and can be visible in the run history.

Parameters

Name Key Required Type Description
Name of the secret
secretName True string

Name of the secret.

Returns

The secret

Body
Secret

Get secret metadata

Gets metadata of a secret.

Parameters

Name Key Required Type Description
Name of the secret
secretName True string

Name of the secret.

Returns

Metadata of a secret

Get secret version

Gets a version of a secret. Output of this operation is typically classified as secret and can be visible in the run history.

Parameters

Name Key Required Type Description
Name of the secret
secretName True string

Name of the secret.

Version of the secret
secretVersion True string

Version of the secret.

Returns

The secret

Body
Secret

Get secret version metadata

Gets metadata of a version of a secret.

Parameters

Name Key Required Type Description
Name of the secret
secretName True string

Name of the secret.

Version of the secret
secretVersion True string

Version of the secret.

Returns

Metadata of a secret

List key versions

List versions of a key.

Parameters

Name Key Required Type Description
Name of the key
keyName True string

Name of the key.

Returns

Collection of keys

List keys

List keys.

Returns

Collection of keys

List secret versions

List versions of a secret.

Parameters

Name Key Required Type Description
Name of the secret
secretName True string

Name of the secret.

Returns

Collection of secrets

List secrets

List secrets.

Returns

Collection of secrets

Definitions

KeyMetadataCollection

Collection of keys

Name Path Type Description
value
value array of KeyMetadata

The keys

continuationToken
continuationToken string

Continuation token

KeyMetadata

Metadata of a key

Name Path Type Description
name
name string

Name of the key

version
version string

Version of the key

isEnabled
isEnabled boolean

A flag indicating whether the key is enabled

createdTime
createdTime date-time

Time when the key was created

lastUpdatedTime
lastUpdatedTime date-time

Time when the key was last updated

validityStartTime
validityStartTime date-time

Time when the key validity starts.

validityEndTime
validityEndTime date-time

Time when the key validity ends.

allowedOperations
allowedOperations array of string

Operations allowed using the key

keyType
keyType string

Type of the key

KeyEncryptOutput

Result of encryption operation

Name Path Type Description
encryptedData
encryptedData string

Encrypted data

KeyDecryptOutput

Result of decryption operation

Name Path Type Description
rawData
rawData string

Raw data

SecretMetadataCollection

Collection of secrets

Name Path Type Description
value
value array of SecretMetadata

The secrets

continuationToken
continuationToken string

Continuation token

SecretMetadata

Metadata of a secret

Name Path Type Description
name
name string

Name of the secret

version
version string

Version of the secret

contentType
contentType string

Content type of the secret

isEnabled
isEnabled boolean

A flag indicating whether the secret is enabled

createdTime
createdTime date-time

Time when the secret was created

lastUpdatedTime
lastUpdatedTime date-time

Time when the secret was last updated

validityStartTime
validityStartTime date-time

Time when the secret validity starts.

validityEndTime
validityEndTime date-time

Time when the secret validity ends.

Secret

The secret

Name Path Type Description
value
value string

Value of the secret

name
name string

Name of the secret

version
version string

Version of the secret

contentType
contentType string

Content type of the secret

isEnabled
isEnabled boolean

A flag indicating whether the secret is enabled

createdTime
createdTime date-time

Time when the secret was created

lastUpdatedTime
lastUpdatedTime date-time

Time when the secret was last updated

validityStartTime
validityStartTime date-time

Time when the secret validity starts.

validityEndTime
validityEndTime date-time

Time when the secret validity ends.