How to authenticate Azure Storage Account using Key Vault in Azure Data Factory
Open the portal blade for your storage account 🡪 Select Access keys
To copy key values, you must first click Show keys 🡪 Copy the Connection string value for key1
Open key vault 🡪 Secrets 🡪 Generate/Import
Paste the contents of the clipboard into the Value field, then enter a Name for the secret and create.
Grant Access to the Key Vault
Your data factory cannot use the secrets stored in your key vault until you grant it permission to do so. The data factory instance has an associated managed identity – a managed application registered in Azure Active Directory – which was created automatically when you created the data factory. You must grant access to this identity.
key vault and select Access policies
On the Access policies blade, locate and click the + Add Access Policy button
select Get and List from the Secret permissions
Under Select principal, click None selected
This opens the security principal selection blade
At the top of the blade is a search input field. An ADF managed identity service principal has the same name as the ADF instance it represents – enter the name of your data factory to search for the service principal. The search will return one matching item, as shown in the below figure. Click the item to choose it, then click the Select button at the bottom of the blade.
Create a Key Vault ADF Linked Service
Azure Data Factory accesses a key vault in exactly the same way it does other types of external resource: using a linked service. To refer to a key vault from within your data factory, you must create a linked service to represent it.
add a new linked service
then search for and select the Azure Key Vault data store. Click Continue
On the New linked service (Azure Key Vault) blade, provide a Name for the key vault linked service, then select your key vault from the Azure key vault name dropdown
Use the Test connection button to check the linked service configuration, and when successful, click Create
Create a New Storage Account Linked Service
create another new linked service, this time using the Azure Blob Storage data store
Ensure that Authentication method is set to “Account key,” then use the toggle below that field to change the connection type from “Connection string” to “Azure Key Vault.”
Select your key vault linked service from the AKV linked service dropdown, then enter the name of your storage account connection string secret.
Use the Test connection button to check the linked service configuration, and when successful, click Save.
The new linked service obtains credentials from the key vault at runtime, by obtaining the value of your named secret, authorized using the ADF instance’s managed identity
Cheers!
Uma