Self Hosted Integration Runtime - Access Key Vault

Radhika Ganapathi Ndq 6 Reputation points
2020-11-13T16:57:22.947+00:00

Hi,

I am using a setup of Data Factory - Self Hosted Integration Runtime for moving data from on-prem to azure blob storage.

Recently I created an Azure Key Vault service, and gave the managed identity of the Data Factory the necessary access permissions. The linked service connecting to the on-prem sql server via the integration runtime does not work correctly with retrieving the secrets from Azure Key vault. I am pretty sure I have followed the documentation to set it up correctly.

Failed to get the secret from key vault, secretName: onprem, secretVersion: , vaultBaseUrl: https://crskpi-use2-dev-kv-fvrr.vault.azure.net/. The error message is: An error occurred while sending the request.
The remote server returned an error: (403) Forbidden..
Activity ID: 753732ed-9770-4242-9afa-bc560de5fa4d.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,287 questions
Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
10,719 questions
{count} vote

1 answer

Sort by: Most helpful
  1. José Faustino 1 Reputation point
    2020-12-18T19:12:27.22+00:00

    Hello.
    We have faced exactly the same issue, and the solution was to whitelist the access (url) to the keyvault in our proxy.

    In the documentation there is this note: create-self-hosted-integration-runtime

    Tasks might fail in a self-hosted integration runtime that you installed on a Windows server for which FIPS-compliant encryption is enabled. To work around this problem, you have two options: store credentials/secret values in an Azure Key Vault or disable FIPS-compliant encryption on the server. To disable FIPS-compliant encryption, change the following registry subkey's value from 1 (enabled) to 0 (disabled): HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled. If you use the self-hosted integration runtime as a proxy for SSIS integration runtime, FIPS-compliant encryption can be enabled and will be used when moving data from on premises to Azure Blob Storage as a staging area

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.