Azure Key Vault
Azure Key Vault is a service to securely store and access secrets.
This connector is available in the following products and regions:
Service | Class | Regions |
---|---|---|
Logic Apps | Standard | All Logic Apps regions |
Power Automate | Premium | All Power Automate regions |
Power Apps | Premium | All Power Apps regions |
Connector Metadata | |
---|---|
Publisher | Microsoft |
Website | https://azure.microsoft.com/services/key-vault/ |
- The actions to get secrets and to get keys return maximum 25 items.
Due to current authentication pipeline limitations, Microsoft Entra ID guest users aren't supported for Microsoft Entra ID connections to Azure Key Vault. To resolve this problem, use Service principal authentication instead.
The connector supports the following authentication types:
Bring your own application | Sign in with your own Azure Active Directory registerted application. | Integration service environments (ISE) only | Not shareable |
Client Certificate Auth | Provide Microsoft Entra ID credentials using PFX certificate and password | All regions | Shareable |
Default Azure AD application for OAuth | Sign in with the default Azure Active Directory application. | Azure Government and Department of Defense (DoD) in Azure Government and MOONCAKE and US Government (GCC) and US Government (GCC-High) only | Not shareable |
Default Microsoft Entra ID application for OAuth | Sign in with the default Microsoft Entra ID application. | All regions except Azure Government and Department of Defense (DoD) in Azure Government and MOONCAKE and US Government (GCC) and US Government (GCC-High) | Not shareable |
Service principal authentication | Use your Microsoft Entra ID application for service principal authentication. | All regions except Azure Government and Department of Defense (DoD) in Azure Government and MOONCAKE and US Government (GCC) and US Government (GCC-High) | Not shareable |
Service principal authentication | Use your Azure Active Directory application for service principal authentication. | Azure Government and Department of Defense (DoD) in Azure Government and MOONCAKE and US Government (GCC) and US Government (GCC-High) only | Not shareable |
Default [DEPRECATED] | This option is only for older connections without an explicit authentication type, and is only provided for backward compatibility. | All regions | Not shareable |
Auth ID: oauthBYOA
Applicable: Integration service environments (ISE) only
Sign in with your own Azure Active Directory registerted application.
This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.
Name | Type | Description | Required |
---|---|---|---|
Vault name | string | The name for the key vault. | True |
Tenant ID | string | The tenant ID for your Azure Active Directory application. | True |
Client ID | string | The client or application ID for your Azure Active Directory application. | True |
Client secret | securestring | The client secret for your Azure Active Directory application. | True |
Auth ID: CertOauth
Applicable: All regions
Provide Microsoft Entra ID credentials using PFX certificate and password
This is shareable connection. If the power app is shared with another user, connection is shared as well. For more information, please see the Connectors overview for canvas apps - Power Apps | Microsoft Docs
Name | Type | Description | Required |
---|---|---|---|
Vault name | string | The name for the key vault. | True |
Client ID | string | The client ID of for the Microsoft Entra ID application | |
Tenant | string | True | |
Client certificate secret | clientCertificate | The client certificate secret allowed by this application | True |
Auth ID: oauthDefault
Applicable: Azure Government and Department of Defense (DoD) in Azure Government and MOONCAKE and US Government (GCC) and US Government (GCC-High) only
Sign in with the default Azure Active Directory application.
This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.
Name | Type | Description | Required |
---|---|---|---|
Tenant ID | string | The tenant ID for your Azure Active Directory application. | |
Key vault name | string | Name for the key vault. | True |
Auth ID: oauthDefault
Applicable: All regions except Azure Government and Department of Defense (DoD) in Azure Government and MOONCAKE and US Government (GCC) and US Government (GCC-High)
Sign in with the default Microsoft Entra ID application.
This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.
Name | Type | Description | Required |
---|---|---|---|
Key vault name | string | Name for the key vault. | True |
Auth ID: oauthServicePrincipal
Applicable: All regions except Azure Government and Department of Defense (DoD) in Azure Government and MOONCAKE and US Government (GCC) and US Government (GCC-High)
Use your Microsoft Entra ID application for service principal authentication.
This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.
Name | Type | Description | Required |
---|---|---|---|
Client ID | string | True | |
Client secret | securestring | True | |
Tenant ID | string | True | |
Key vault name | string | True |
Auth ID: oauthServicePrincipal
Applicable: Azure Government and Department of Defense (DoD) in Azure Government and MOONCAKE and US Government (GCC) and US Government (GCC-High) only
Use your Azure Active Directory application for service principal authentication.
This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.
Name | Type | Description | Required |
---|---|---|---|
Client ID | string | True | |
Client secret | securestring | True | |
Tenant ID | string | True | |
Key vault name | string | True |
Applicable: All regions
This option is only for older connections without an explicit authentication type, and is only provided for backward compatibility.
This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.
Name | Type | Description | Required |
---|---|---|---|
Key Vault name | string | The name for the key vault. | True |
Name | Calls | Renewal Period |
---|---|---|
API calls per connection | 2000 | 60 seconds |
Decrypt data with key |
Decrypt data using the latest version of a key. Output of this operation is typically classified as secret and can be visible in the run history. |
Decrypt data with key version |
Decrypt data using a specific version of a key. Output of this operation is typically classified as secret and can be visible in the run history. |
Encrypt data with key |
Encrypt data using the latest version of a key. |
Encrypt data with key version |
Encrypt data using a specific version of a key. |
Get key metadata |
Gets metadata of a key. |
Get key version metadata |
Gets metadata of a version of a key. |
Get secret |
Gets a secret. Output of this operation is typically classified as secret and can be visible in the run history. |
Get secret metadata |
Gets metadata of a secret. |
Get secret version |
Gets a version of a secret. Output of this operation is typically classified as secret and can be visible in the run history. |
Get secret version metadata |
Gets metadata of a version of a secret. |
List key versions |
List versions of a key. |
List keys |
List keys. |
List secret versions |
List versions of a secret. |
List secrets |
List secrets. |
Decrypt data using the latest version of a key. Output of this operation is typically classified as secret and can be visible in the run history.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Name of the key
|
keyName | True | string |
Name of the key. |
Algorithm
|
algorithm | True | string |
Algorithm to use for decrypting the data |
Encrypted data
|
encryptedData | True | string |
Data to decrypt |
Returns
Result of decryption operation
- Body
- KeyDecryptOutput
Decrypt data using a specific version of a key. Output of this operation is typically classified as secret and can be visible in the run history.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Name of the key
|
keyName | True | string |
Name of the key. |
Version of the key
|
keyVersion | True | string |
Version of the key. |
Algorithm
|
algorithm | True | string |
Algorithm to use for decrypting the data |
Encrypted data
|
encryptedData | True | string |
Data to decrypt |
Returns
Result of decryption operation
- Body
- KeyDecryptOutput
Encrypt data using the latest version of a key.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Name of the key
|
keyName | True | string |
Name of the key. |
Algorithm
|
algorithm | True | string |
Algorithm to use for encrypting the data |
Raw data
|
rawData | True | string |
Data to encrypt |
Returns
Result of encryption operation
- Body
- KeyEncryptOutput
Encrypt data using a specific version of a key.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Name of the key
|
keyName | True | string |
Name of the key. |
Version of the key
|
keyVersion | True | string |
Version of the key. |
Algorithm
|
algorithm | True | string |
Algorithm to use for encrypting the data |
Raw data
|
rawData | True | string |
Data to encrypt |
Returns
Result of encryption operation
- Body
- KeyEncryptOutput
Gets metadata of a key.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Name of the key
|
keyName | True | string |
Name of the key. |
Returns
Metadata of a key
- Body
- KeyMetadata
Gets metadata of a version of a key.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Name of the key
|
keyName | True | string |
Name of the key. |
Version of the key
|
keyVersion | True | string |
Version of the key. |
Returns
Metadata of a key
- Body
- KeyMetadata
Gets a secret. Output of this operation is typically classified as secret and can be visible in the run history.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Name of the secret
|
secretName | True | string |
Name of the secret. |
Returns
The secret
- Body
- Secret
Gets metadata of a secret.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Name of the secret
|
secretName | True | string |
Name of the secret. |
Returns
Metadata of a secret
- Body
- SecretMetadata
Gets a version of a secret. Output of this operation is typically classified as secret and can be visible in the run history.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Name of the secret
|
secretName | True | string |
Name of the secret. |
Version of the secret
|
secretVersion | True | string |
Version of the secret. |
Returns
The secret
- Body
- Secret
Gets metadata of a version of a secret.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Name of the secret
|
secretName | True | string |
Name of the secret. |
Version of the secret
|
secretVersion | True | string |
Version of the secret. |
Returns
Metadata of a secret
- Body
- SecretMetadata
List versions of a key.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Name of the key
|
keyName | True | string |
Name of the key. |
Returns
Collection of keys
List versions of a secret.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Name of the secret
|
secretName | True | string |
Name of the secret. |
Returns
Collection of secrets
Collection of keys
Name | Path | Type | Description |
---|---|---|---|
value
|
value | array of KeyMetadata |
The keys |
continuationToken
|
continuationToken | string |
Continuation token |
Metadata of a key
Name | Path | Type | Description |
---|---|---|---|
name
|
name | string |
Name of the key |
version
|
version | string |
Version of the key |
isEnabled
|
isEnabled | boolean |
A flag indicating whether the key is enabled |
createdTime
|
createdTime | date-time |
Time when the key was created |
lastUpdatedTime
|
lastUpdatedTime | date-time |
Time when the key was last updated |
validityStartTime
|
validityStartTime | date-time |
Time when the key validity starts. |
validityEndTime
|
validityEndTime | date-time |
Time when the key validity ends. |
allowedOperations
|
allowedOperations | array of string |
Operations allowed using the key |
keyType
|
keyType | string |
Type of the key |
Result of encryption operation
Name | Path | Type | Description |
---|---|---|---|
encryptedData
|
encryptedData | string |
Encrypted data |
Result of decryption operation
Name | Path | Type | Description |
---|---|---|---|
rawData
|
rawData | string |
Raw data |
Collection of secrets
Name | Path | Type | Description |
---|---|---|---|
value
|
value | array of SecretMetadata |
The secrets |
continuationToken
|
continuationToken | string |
Continuation token |
Metadata of a secret
Name | Path | Type | Description |
---|---|---|---|
name
|
name | string |
Name of the secret |
version
|
version | string |
Version of the secret |
contentType
|
contentType | string |
Content type of the secret |
isEnabled
|
isEnabled | boolean |
A flag indicating whether the secret is enabled |
createdTime
|
createdTime | date-time |
Time when the secret was created |
lastUpdatedTime
|
lastUpdatedTime | date-time |
Time when the secret was last updated |
validityStartTime
|
validityStartTime | date-time |
Time when the secret validity starts. |
validityEndTime
|
validityEndTime | date-time |
Time when the secret validity ends. |
The secret
Name | Path | Type | Description |
---|---|---|---|
value
|
value | string |
Value of the secret |
name
|
name | string |
Name of the secret |
version
|
version | string |
Version of the secret |
contentType
|
contentType | string |
Content type of the secret |
isEnabled
|
isEnabled | boolean |
A flag indicating whether the secret is enabled |
createdTime
|
createdTime | date-time |
Time when the secret was created |
lastUpdatedTime
|
lastUpdatedTime | date-time |
Time when the secret was last updated |
validityStartTime
|
validityStartTime | date-time |
Time when the secret validity starts. |
validityEndTime
|
validityEndTime | date-time |
Time when the secret validity ends. |