Adding keyvault secrets to Linked Services not showing that option in the UI

Peter Schmitz

Administrator
Staff member
As per Microsoft's recommendations, the best practice for storing credentials and other sensitive information is to use a KeyVault. However, in the UI interface, the Keyvault is not always an option offered. And yet, there's a hack that you can use to circumvent that limitation and still use a secret to hide this information from prying eyes.

To start with, obviously create a secret in the keyvault that holds your connection string. For the sake of this example, we will assume we are creating a JIRA connection string to a server hosted OnPrem. The URL with the host address would look something like this: https://<myhostname>/jira/rest/api/2/. So that is what we add as our secret.

In ADF, we then set up a default HttpServer linked Service. Initially I would simply fill in the URL itself, and save the service. This results in a JSON file that would look something like this:

JSON:
{
    "name": "Jira",
    "properties": {
        "annotations": [],
        "type": "HttpServer",
        "typeProperties": {
            "url": "https://<myhostname>/jira/rest/api/2/",
            "enableServerCertificateValidation": true,
            "authenticationType": "Anonymous"
        },
        "connectVia": {
            "referenceName": "dev-ir-<myhostname>",
            "type": "IntegrationRuntimeReference"
        }
    }
}

To replace the hard-coded URL with a value in the KeyVault, use the little code icon next to the Service name:

1663604533093.png


Then after "url: ", select the value of the url (including the double quotes and the trailing comma). Replace that with:

JSON:
{
    "type": "AzureKeyVaultSecret",
        "store": {
            "referenceName": "<MyKeyvault>",
                "type": "LinkedServiceReference"
        },
            "secretName": "<name of the secret we created earlier>"
},

So the new JSON would be:

JSON:
{
    "name": "Jira",
    "properties": {
        "annotations": [],
        "type": "HttpServer",
        "typeProperties": {
            "url": {
                "type": "AzureKeyVaultSecret",
                "store": {
                    "referenceName": "<MyKeyvault>",
                    "type": "LinkedServiceReference"
                },
            "secretName": "<name of the secret we created earlier>"
        },
            "enableServerCertificateValidation": true,
            "authenticationType": "Anonymous"
        },
        "connectVia": {
            "referenceName": "dev-ir-<myhostname>",
            "type": "IntegrationRuntimeReference"
        }
    }
}

And Bob is our uncle. I've used the same trick to replace username and password parts of connections, and it works like a charm.



hack-the-planet.gif
 
Top