Azure Data Factory V2 + Key Vault

1
votes

I am trying to leverage Azure Key Vault to secure password for service account that moves data from on-prem SQL server to Azure Data Lake via Azure Data Factory.

I first created the Linked Service and hard coded the credentials. It works.

However, I want to store the service account secret (i.e. password) within Key Value, and according to the following post, I added the Azure Key Vault Liked Service and referenced credentials stored in key value.

Under Advance within the Linked Service, see image #1, Iadded the following JSON:

{
    "name": "LinkedService",
    "properties": {
        "type": "SqlServer",
        "typeProperties": {
            "username": "<domain>\<account name>",
            "password": {
                "type": "AzureKeyVaultSecret",
                "secretName": "<service account name>",
                "store":{
                    "referenceName": "https://<name>.vault.azure.net/",
                    "type": "LinkedServiceReference"
                }
            }
        },
        "connectVia": {
            "referenceName": "IRMYService",
            "type": "IntegrationRuntimeReference"
        }
    }
}

However, when I look at the final JSON within Linked Service, it doesn't appear correct (refer to final image below). Why is username and credentials showing up?

enter image description here

enter image description here

2
azureazure-data-factoryazure-keyvault

2 Answers

1
votes

You probably have missed the below part from that same link-

Currently, Dynamics connector, Salesforce connector and a few newly enable connectors support this feature. Expect more coming later. You can check each connector topic on details. For the secret fields which support this feature, you will see a note in the description saying "You can choose to mark this field as a SecureString to store it securely in ADF, or store password in Azure Key Vault and let the copy acitivty pull from there when performing data copy - learn more from Store credentials in Key Vault."

As of now Azure Data Lake Store doesn't support Key Vault integration. You can always choose - managed service identity (MSI) authentication which would not expose your service principal information's.

The same applies to Sql Server as well - you have to choose Secure String for using the connectionString & password.

1
votes

This is now supported out of the box. The link you provided has also been updated to reflect this:

Currently, all activity types except custom activity support this feature. For connector configuration specifically, check the "linked service properties" section in each connector topic for details.

enter image description here

For more, check the docs for Data Lake Storage Gen 1 and docs for Data Lake Storage Gen2.