As per Microsoft's recommendations, the best practice for storing credentials and other sensitive information is to use a KeyVault. However, in the UI interface, the Keyvault is not always an option offered. And yet, there's a hack that you can use to circumvent that limitation and still use a secret to hide this information from prying eyes.
To start with, obviously create a secret in the keyvault that holds your connection string. For the sake of this example, we will assume we are creating a JIRA connection string to a server hosted OnPrem. The URL with the host address would look something like this: https://<myhostname>/jira/rest/api/2/. So that is what we add as our secret.
In ADF, we then set up a default HttpServer linked Service. Initially I would simply fill in the URL itself, and save the service. This results in a JSON file that would look something like this:
To replace the hard-coded URL with a value in the KeyVault, use the little code icon next to the Service name:
Then after "url: ", select the value of the url (including the double quotes and the trailing comma). Replace that with:
So the new JSON would be:
And Bob is our uncle. I've used the same trick to replace username and password parts of connections, and it works like a charm.
To start with, obviously create a secret in the keyvault that holds your connection string. For the sake of this example, we will assume we are creating a JIRA connection string to a server hosted OnPrem. The URL with the host address would look something like this: https://<myhostname>/jira/rest/api/2/. So that is what we add as our secret.
In ADF, we then set up a default HttpServer linked Service. Initially I would simply fill in the URL itself, and save the service. This results in a JSON file that would look something like this:
JSON:
{
"name": "Jira",
"properties": {
"annotations": [],
"type": "HttpServer",
"typeProperties": {
"url": "https://<myhostname>/jira/rest/api/2/",
"enableServerCertificateValidation": true,
"authenticationType": "Anonymous"
},
"connectVia": {
"referenceName": "dev-ir-<myhostname>",
"type": "IntegrationRuntimeReference"
}
}
}To replace the hard-coded URL with a value in the KeyVault, use the little code icon next to the Service name:
Then after "url: ", select the value of the url (including the double quotes and the trailing comma). Replace that with:
JSON:
{
"type": "AzureKeyVaultSecret",
"store": {
"referenceName": "<MyKeyvault>",
"type": "LinkedServiceReference"
},
"secretName": "<name of the secret we created earlier>"
},So the new JSON would be:
JSON:
{
"name": "Jira",
"properties": {
"annotations": [],
"type": "HttpServer",
"typeProperties": {
"url": {
"type": "AzureKeyVaultSecret",
"store": {
"referenceName": "<MyKeyvault>",
"type": "LinkedServiceReference"
},
"secretName": "<name of the secret we created earlier>"
},
"enableServerCertificateValidation": true,
"authenticationType": "Anonymous"
},
"connectVia": {
"referenceName": "dev-ir-<myhostname>",
"type": "IntegrationRuntimeReference"
}
}
}And Bob is our uncle. I've used the same trick to replace username and password parts of connections, and it works like a charm.