Share via

[ODBC] Service principal to DECRYPT 'Always Encrypted Azure SQL DB' using certificate instead of client secret

Gabriel Villayzan 0 Reputation points
2023-03-03T22:41:51.9833333+00:00

Hi Community,

I have a Azure SQL DB with always encrypted feature enabled using Azure Key Vault Key.

I want to consume this from a Power BI report. So I'm using a Data Gateway in the middle, with ODBC connection and a Service principal (Client/Secret) who is able to access the Key (from Azure Key Vault). Everything is working fine but for security constraints I need to change this Service principal Authentication to Certificate.

QAMSq2

QAMSq

I want to know if it is possible to change this authentication (that allows ODBC connection to get the Azure Key vault and Decrypt data) to Azure service principal with a certificate (and not a client secret).

Thank you in advance for your help.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,452 questions
Azure SQL Database

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Oury Ba-MSFT 20,931 Reputation points Microsoft Employee Moderator
    2023-03-08T17:37:36.6233333+00:00

    @Anonymous

    Using a certificate instead of secrets is not supported.

    Why are you looking to use certificate instead?

    Regards,

    Oury

    0 comments
  2. Oury Ba-MSFT 20,931 Reputation points Microsoft Employee Moderator
    2023-03-08T17:42:41.0633333+00:00

    @Anonymous

    I have updated my comment above.

     Using a certificate instead of a secret is not supported after checking internally.

     The driver supports authenticating to Azure Key Vault using the following credential types:

    • Username/Password - with this method, the credentials are the name of an Azure Active Directory user and its password.
    • Client ID/Secret - with this method, the credentials are an application client ID and an application secret.
      • Managed Identity (17.5.2+) - either system or user-assigned; for more information, see Managed Identities for Azure resources.
    • Azure Key Vault Interactive (17.7+ Windows drivers) - with this method, the credentials are authenticated through Azure Active Directory with Login ID.

    More information can be found on https://learn.microsoft.com/en-us/sql/connect/odbc/using-always-encrypted-with-the-odbc-driver?view=sql-server-ver16#using-the-azure-key-vault-provider.

    Regards,

    Oury

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.