I have rest API in which I need to give api key. Is it possible to pass api key through azure key vault instead of using base url directly in linked service?

Question

I have rest API in which I need to give api key. Is it possible to pass api key through azure key vault instead of using base url directly in linked service?

Bharati Gorakshanath Shinde 0

If possible please explain..

Akshay-MSFT 17,951 Microsoft Employee Moderator

Thank you for posting your query on Microsoft Q&A, from above description I could understand that you have an rest API defined in which want to call "keys" for another API from KeyVault instead of calling the API.

Please do correct if this not the case, by responding in the comments with more description on the background.

If my understanding is correct the you could try using GET-KEY function. The get key operation is applicable to all key types. If the requested key is symmetric, then no key material is released in the response. This operation requires the keys/get permission.

GET {vaultBaseUrl}/keys/{key-name}/{key-version}?api-version=7.4

User's image

Example:

GET https://myvault.vault.azure.net//keys/CreateSoftKeyTest/78deebed173b48e48f55abf87ed4cf71?api-version=7.4

{
  "key": {
    "kid": "https://myvault.vault.azure.net/keys/CreateSoftKeyTest/78deebed173b48e48f55abf87ed4cf71",
    "kty": "RSA",
    "key_ops": [
      "encrypt",
      "decrypt",
      "sign",
      "verify",
      "wrapKey",
      "unwrapKey"
    ],
    "n": "2HJAE5fU3Cw2Rt9hEuq-F6XjINKGa-zskfISVqopqUy60GOs2eyhxbWbJBeUXNor_gf-tXtNeuqeBgitLeVa640UDvnEjYTKWjCniTxZRaU7ewY8BfTSk-7KxoDdLsPSpX_MX4rwlAx-_1UGk5t4sQgTbm9T6Fm2oqFd37dsz5-Gj27UP2GTAShfJPFD7MqU_zIgOI0pfqsbNL5xTQVM29K6rX4jSPtylZV3uWJtkoQIQnrIHhk1d0SC0KwlBV3V7R_LVYjiXLyIXsFzSNYgQ68ZjAwt8iL7I8Osa-ehQLM13DVvLASaf7Jnu3sC3CWl3Gyirgded6cfMmswJzY87w",
    "e": "AQAB"
  },
  "attributes": {
    "enabled": true,
    "created": 1493942451,
    "updated": 1493942451,
    "recoveryLevel": "Recoverable+Purgeable"
  },
  "tags": {
    "purpose": "unit test",
    "test name ": "CreateGetDeleteKeyTest"
  }
}

Thanks,

Akshay Kaushik

1 answer

Your answer

Akshay-MSFT 17,951 Reputation points Microsoft Employee Moderator

2023-09-07T12:34:29.78+00:00

@Anonymous

Thank you for posting your query on Microsoft Q&A, from above description I could understand that you have an rest API defined in which want to call "keys" for another API from KeyVault instead of calling the API.

Please do correct if this not the case, by responding in the comments with more description on the background.

If my understanding is correct the you could try using GET-KEY function. The get key operation is applicable to all key types. If the requested key is symmetric, then no key material is released in the response. This operation requires the keys/get permission.

GET {vaultBaseUrl}/keys/{key-name}/{key-version}?api-version=7.4

Example:

GET https://myvault.vault.azure.net//keys/CreateSoftKeyTest/78deebed173b48e48f55abf87ed4cf71?api-version=7.4

{ "key": { "kid": "https://myvault.vault.azure.net/keys/CreateSoftKeyTest/78deebed173b48e48f55abf87ed4cf71", "kty": "RSA", "key_ops": [ "encrypt", "decrypt", "sign", "verify", "wrapKey", "unwrapKey" ], "n": "2HJAE5fU3Cw2Rt9hEuq-F6XjINKGa-zskfISVqopqUy60GOs2eyhxbWbJBeUXNor_gf-tXtNeuqeBgitLeVa640UDvnEjYTKWjCniTxZRaU7ewY8BfTSk-7KxoDdLsPSpX_MX4rwlAx-_1UGk5t4sQgTbm9T6Fm2oqFd37dsz5-Gj27UP2GTAShfJPFD7MqU_zIgOI0pfqsbNL5xTQVM29K6rX4jSPtylZV3uWJtkoQIQnrIHhk1d0SC0KwlBV3V7R_LVYjiXLyIXsFzSNYgQ68ZjAwt8iL7I8Osa-ehQLM13DVvLASaf7Jnu3sC3CWl3Gyirgded6cfMmswJzY87w", "e": "AQAB" }, "attributes": { "enabled": true, "created": 1493942451, "updated": 1493942451, "recoveryLevel": "Recoverable+Purgeable" }, "tags": { "purpose": "unit test", "test name ": "CreateGetDeleteKeyTest" } }

Thanks,

Akshay Kaushik

Answer 1

AKV is designed to store and manage sensitive information such as API keys, secrets, and certificates. If you're using ADF you can definitely leverage Azure Key Vault to store your API keys securely.

You can create an Azure Key Vault instance if you don’t have one where you will add to it the API key as a secret.

Then navigate to your AKV instance in the Azure Portal.In the left-hand pane, select “Secrets”.

Click on the "+ Generate/Import" button to add a new secret. The "Value" of the secret will be your API key.

Next, you need to provide Azure Data Factory Access to Azure Key Vault, navigate to the "Access policies" section.

Click on "+ Add Access Policy". And then configure the access policy like below :

    - Under "Secret permissions", select "Get" (and any other permissions you deem necessary).

    - Click on "Select principal" and find your Azure Data Factory's managed identity.

- Click "Add" and then "Save" to apply the policy.

Now you need to Link Azure Key Vault to Azure Data Factory like below :

- In ADF, navigate to the “Author & Monitor” tab.

- Under the “Author” section, select “Linked services”.

- Click the “+ New” button to create a new linked service.

- Choose “Azure Key Vault” as the linked service type.

- Provide the necessary information to connect to AKV (usually the AKV URL). Ensure that you're using the ADF Managed Identity for authentication.

Finally, using the Secret in ADF's Linked Service, you need to do the following :

- Create (or edit) a linked service in ADF that requires the API key.

- Instead of manually typing the API key, use the Azure Key Vault secret reference. It's generally in a format like `@linkedService('YourAKVLinkedServiceName').SecretValue`. This way, ADF will fetch the API key from AKV when needed.

Share via

I have rest API in which I need to give api key. Is it possible to pass api key through azure key vault instead of using base url directly in linked service?

1 answer

Your answer