Using getSecret() to retrieve a secret value from KeyVault in Gov cloud

natalie 6 Microsoft Employee

For public cloud we are using getSecret(akvName: String, secret: String, linkedService: String) to get a secret from keyvault. However, as we are setting up our government cloud, the host this uses is the public cloud<keyvault>.vault.azure.net instead of using the government cloud of .us . How can I get the secret in government cloud for a government cloud keyvault. I verfied that the Linked Service base url was government cloud as well.

natalie 6 Reputation points Microsoft Employee

2023-01-26T01:12:26.2066667+00:00

Thanks for the reply. We are aware of the hostname for keyvaults in government cloud.
However, in Government cloud Token Library GetSecret() fails because it tries to connect to the public cloud keyvault host instead of the government cloud.
Error: “No host available ….. .vault.azure.net..”
Our linked service has the correct government cloud host name, it seems the host name from the method defaults to public cloud. How can the government host be specified in the call, so that it doesn't default to the public one:

import com.microsoft.azure.synapse.tokenlibrary.TokenLibrary val connectionString: String = TokenLibrary.GetSecret("<AZURE KEY VAULT NAME>", "<SECRET KEY>", "<LINKED SERVICE NAME>") println(connectionString)

[https://learn.microsoft.com/en-us/azure/synapse-analytics/spark/apache-spark-secure-credentials-with-tokenlibrary?pivots=programming-language-scala#getsecret

2 answers

BhargavaGunnam-MSFT 26,136 Reputation points Microsoft Employee

2023-01-25T20:39:34.04+00:00

Hello @natalie,

Welcome to the MS Q&A platform.

The hostname for Key Vault in Azure Government Cloud is vault.usgovcloudapi.net

This is documented here: https://learn.microsoft.com/en-us/azure/azure-government/compare-azure-government-global-azure

I hope this helps.

If this answers your question, please consider accepting the answer by hitting the Accept answer and up-vote as it helps the community.
Please sign in to rate this answer.

1 person found this answer helpful.
natalie 6 Reputation points Microsoft Employee

2023-01-26T01:08:55.4166667+00:00

Thanks for your reply. We are aware of the key vault host for government cloud and our Linked service has it. However, in Government cloud the TokenLibrary GetSecret() fails because it tries to connect to the public cloud keyvault host instead of the government cloud. It seems like the host is hardcoded for the keyvault in this call.

Error: “No host available ….. .vault.azure.net..”

Secure access credentials with Linked Services in Apache Spark for Azure Synapse Analytics - Azure Synapse Analytics | Microsoft Learn

What is the way to get a secret out of a keyvault using LinkedServices in Synapse for Government cloud?
Sign in to comment
natalie 6 Reputation points Microsoft Employee

2023-01-26T19:13:29.4266667+00:00
GetSecret() defaults to using the public host for the keyvault therefore you'll need to pass in the full domain for the vault name for the respective env.
Gov cloud:

vault.usgovcloudapi.net

i.e.

import com.microsoft.azure.synapse.tokenlibrary.TokenLibrary

val connectionString: String = TokenLibrary.getSecret("<yourKVName>.vault.usgovcloudapi.net", "<yourSecretName>", "<YourLinkedService>")
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment