Web activity - is there a way not to expose this API-key in a pipeline?

Question

Hi Folks,

I have a pipeline which first takes token from a rest call (web activity) and then use this token to get data from rest API (copy activity).
To get a token I have to provide an API-key. Is there a way not to expose this API-key in a pipeline? Or maybe build this pipeline another, more secured way? Exposing it for other data factory users gives them oportunity to catch the token and later access data.

Answer 1

Hello @braxx and welcome to Microsoft Q&A.

Yes there is a more secure way to work with your key/password/confidential header.

There is a parameter type called SecureString. Instead of placing the value directly in the Copy Activity header, place it in a parameter of type SecureString. Then in the Copy Activity header, refer to it. There is a complication, but first to show you how its done.

@pipeline().parameters.secureHeader

The complication is when using Git Mode you may see an error like below, telling you SecureString cannot have a default value.

The solution is to leave the value in the pipeline blank, but instead give the value when you make a trigger. The trigger can store and hide the key. The trigger then gives the key to the pipeline parameter, which gives it to the web activity header.

Answer 2

Hi Martin,

Apologise for late replay.
That's very interesting approach. I didn't know about secure string parameters. That's basically answer my question. I marked it as answer although I finally solved it a bit different way.

What I did is to place the API-key in Key-Vault and created another web activity with MSI authentication to a key-vault to get this value.

Thanks a lot :)