How to authenticate Azure Storage Account using Key Vault in Azure Data Factory

 How to authenticate Azure Storage Account using Key Vault in Azure Data Factory

Open the portal blade for your storage account 🡪 Select Access keys

To copy key values, you must first click Show keys 🡪 Copy the Connection string value for key1

Open key vault 🡪 Secrets 🡪 Generate/Import

Paste the contents of the clipboard into the Value field, then enter a Name for the secret and create.

Grant Access to the Key Vault

Your data factory cannot use the secrets stored in your key vault until you grant it permission to do so. The data factory instance has an associated managed identity – a managed application registered in Azure Active Directory – which was created automatically when you created the data factory. You must grant access to this identity.

key vault and select Access policies

On the Access policies blade, locate and click the + Add Access Policy button

select Get and List from the Secret permissions

Under Select principal, click None selected

This opens the security principal selection blade

At the top of the blade is a search input field. An ADF managed identity service principal has the same name as the ADF instance it represents – enter the name of your data factory to search for the service principal. The search will return one matching item, as shown in the below figure. Click the item to choose it, then click the Select button at the bottom of the blade.

Create a Key Vault ADF Linked Service

Azure Data Factory accesses a key vault in exactly the same way it does other types of external resource: using a linked service. To refer to a key vault from within your data factory, you must create a linked service to represent it.

add a new linked service

then search for and select the Azure Key Vault data store. Click Continue

On the New linked service (Azure Key Vault) blade, provide a Name for the key vault linked service, then select your key vault from the Azure key vault name dropdown

Use the Test connection button to check the linked service configuration, and when successful, click Create

Create a New Storage Account Linked Service

create another new linked service, this time using the Azure Blob Storage data store

Ensure that Authentication method is set to “Account key,” then use the toggle below that field to change the connection type from “Connection string” to “Azure Key Vault.”

Select your key vault linked service from the AKV linked service dropdown, then enter the name of your storage account connection string secret.

Use the Test connection button to check the linked service configuration, and when successful, click Save.

The new linked service obtains credentials from the key vault at runtime, by obtaining the value of your named secret, authorized using the ADF instance’s managed identity

Cheers!
Uma