So how we can fetch the secrets or keys for Azure Data Factory , logic apps, Azure Synapse and Azure DataBricks if we disable the public access for keyvault.
I found a solution for AppServices and FunctionApps by using outbound IP Addresses and i need a solution for accessing the ADF,synapse,logicapps and databricks if we disable public access for keyvault.
I tried using Service Principal and grant permissions but its not working.
Please help me with the solution.
2
Answers
Even if you disable public access, you can still leave "Allow trusted Microsoft services to bypass this firewall" on, and so allow the MS services you mention to have access.
You can also create a private endpoint, and so add the key vault to your private Vnet.
All of this is related to networking – not being blocked by a firewall. You also need to grant permission to the service you use to access key vault, for example, with service principle or managed identity.
I tried to reproduce the same in my environment to access Azure key Vault with Private Endpoint:
I have created Vnet with required configuration.
Azure Portal > Virtual networks > Create
Create key-vault with private endpoint.
Azure Portal > Key vaults > Create a key vault
once create the Keyvault, check the private endpoint provisioning status, like below.
If you are trying to access the Azure Keyvault from public internet, you will get unauthorized error, like below.
Azure Keyvault is accessible with private network, like below.
For accessing Azure Datafactory using Azure keyvault, Assign service principal.
Keyvault access policy is assigned to ADF managed Identity.
You can add Azure Key vault as a linked service in the Azure Data factory. the managed identity of the ADF that has access to key vault can be used for connecting ADF to Azure Key vault like below.
Azure Key Vault is successfully linked to ADF.
Reference:
Store credentials in Azure Key Vault