Azure Key Vault
Azure Key Vault is a service to securely store and access secrets.
This connector is available in the following products and regions:
| Service | Class | Regions |
|---|---|---|
| Logic Apps | Standard | All Logic Apps regions |
| Power Automate | Premium | All Power Automate regions |
| Power Apps | Premium | All Power Apps regions |
| Connector Metadata | |
|---|---|
| Publisher | Microsoft |
| Website | https://azure.microsoft.com/services/key-vault/ |
Known issues and limitations
- The actions to get secrets and to get keys return maximum 25 items.
Known limitations with Microsoft Entra ID authentication
Due to current authentication pipeline limitations, Microsoft Entra ID guest users aren't supported for Microsoft Entra ID connections to Azure Key Vault. To resolve this problem, use Service principal authentication instead.
Creating a connection
The connector supports the following authentication types:
| Bring your own application | Sign in with your own Azure Active Directory registerted application. | Integration service environments (ISE) only | Not shareable |
| Client Certificate Auth | Provide Microsoft Entra ID credentials using PFX certificate and password | All regions | Shareable |
| Default Azure AD application for OAuth | Sign in with the default Azure Active Directory application. | Azure Government and Department of Defense (DoD) in Azure Government and MOONCAKE and US Government (GCC) and US Government (GCC-High) only | Not shareable |
| Default Microsoft Entra ID application for OAuth | Sign in with the default Microsoft Entra ID application. | All regions except Azure Government and Department of Defense (DoD) in Azure Government and MOONCAKE and US Government (GCC) and US Government (GCC-High) | Not shareable |
| Service principal authentication | Use your Microsoft Entra ID application for service principal authentication. | All regions except Azure Government and Department of Defense (DoD) in Azure Government and MOONCAKE and US Government (GCC) and US Government (GCC-High) | Not shareable |
| Service principal authentication | Use your Azure Active Directory application for service principal authentication. | Azure Government and Department of Defense (DoD) in Azure Government and MOONCAKE and US Government (GCC) and US Government (GCC-High) only | Not shareable |
| Default [DEPRECATED] | This option is only for older connections without an explicit authentication type, and is only provided for backward compatibility. | All regions | Not shareable |
Bring your own application
Auth ID: oauthBYOA
Applicable: Integration service environments (ISE) only
Sign in with your own Azure Active Directory registerted application.
This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.
| Name | Type | Description | Required |
|---|---|---|---|
| Vault name | string | The name for the key vault. | True |
| Tenant ID | string | The tenant ID for your Azure Active Directory application. | True |
| Client ID | string | The client or application ID for your Azure Active Directory application. | True |
| Client secret | securestring | The client secret for your Azure Active Directory application. | True |
Client Certificate Auth
Auth ID: CertOauth
Applicable: All regions
Provide Microsoft Entra ID credentials using PFX certificate and password
This is shareable connection. If the power app is shared with another user, connection is shared as well. For more information, please see the Connectors overview for canvas apps - Power Apps | Microsoft Docs
| Name | Type | Description | Required |
|---|---|---|---|
| Vault name | string | The name for the key vault. | True |
| Client ID | string | The client ID of for the Microsoft Entra ID application | |
| Tenant | string | True | |
| Client certificate secret | clientCertificate | The client certificate secret allowed by this application | True |
Default Azure AD application for OAuth
Auth ID: oauthDefault
Applicable: Azure Government and Department of Defense (DoD) in Azure Government and MOONCAKE and US Government (GCC) and US Government (GCC-High) only
Sign in with the default Azure Active Directory application.
This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.
| Name | Type | Description | Required |
|---|---|---|---|
| Tenant ID | string | The tenant ID for your Azure Active Directory application. | |
| Key vault name | string | Name for the key vault. | True |
Default Microsoft Entra ID application for OAuth
Auth ID: oauthDefault
Applicable: All regions except Azure Government and Department of Defense (DoD) in Azure Government and MOONCAKE and US Government (GCC) and US Government (GCC-High)
Sign in with the default Microsoft Entra ID application.
This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.
| Name | Type | Description | Required |
|---|---|---|---|
| Key vault name | string | Name for the key vault. | True |
Service principal authentication
Auth ID: oauthServicePrincipal
Applicable: All regions except Azure Government and Department of Defense (DoD) in Azure Government and MOONCAKE and US Government (GCC) and US Government (GCC-High)
Use your Microsoft Entra ID application for service principal authentication.
This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.
| Name | Type | Description | Required |
|---|---|---|---|
| Client ID | string | True | |
| Client secret | securestring | True | |
| Tenant ID | string | True | |
| Key vault name | string | True |
Service principal authentication
Auth ID: oauthServicePrincipal
Applicable: Azure Government and Department of Defense (DoD) in Azure Government and MOONCAKE and US Government (GCC) and US Government (GCC-High) only
Use your Azure Active Directory application for service principal authentication.
This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.
| Name | Type | Description | Required |
|---|---|---|---|
| Client ID | string | True | |
| Client secret | securestring | True | |
| Tenant ID | string | True | |
| Key vault name | string | True |
Default [DEPRECATED]
Applicable: All regions
This option is only for older connections without an explicit authentication type, and is only provided for backward compatibility.
This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.
| Name | Type | Description | Required |
|---|---|---|---|
| Key Vault name | string | The name for the key vault. | True |
Throttling Limits
| Name | Calls | Renewal Period |
|---|---|---|
| API calls per connection | 2000 | 60 seconds |
Actions
| Decrypt data with key |
Decrypt data using the latest version of a key. Output of this operation is typically classified as secret and can be visible in the run history. |
| Decrypt data with key version |
Decrypt data using a specific version of a key. Output of this operation is typically classified as secret and can be visible in the run history. |
| Encrypt data with key |
Encrypt data using the latest version of a key. |
| Encrypt data with key version |
Encrypt data using a specific version of a key. |
| Get key metadata |
Gets metadata of a key. |
| Get key version metadata |
Gets metadata of a version of a key. |
| Get secret |
Gets a secret. Output of this operation is typically classified as secret and can be visible in the run history. |
| Get secret metadata |
Gets metadata of a secret. |
| Get secret version |
Gets a version of a secret. Output of this operation is typically classified as secret and can be visible in the run history. |
| Get secret version metadata |
Gets metadata of a version of a secret. |
| List key versions |
List versions of a key. |
| List keys |
List keys. |
| List secret versions |
List versions of a secret. |
| List secrets |
List secrets. |
Decrypt data with key
Decrypt data using the latest version of a key. Output of this operation is typically classified as secret and can be visible in the run history.
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Name of the key
|
keyName | True | string |
Name of the key. |
|
Algorithm
|
algorithm | True | string |
Algorithm to use for decrypting the data |
|
Encrypted data
|
encryptedData | True | string |
Data to decrypt |
Returns
Result of decryption operation
- Body
- KeyDecryptOutput
Decrypt data with key version
Decrypt data using a specific version of a key. Output of this operation is typically classified as secret and can be visible in the run history.
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Name of the key
|
keyName | True | string |
Name of the key. |
|
Version of the key
|
keyVersion | True | string |
Version of the key. |
|
Algorithm
|
algorithm | True | string |
Algorithm to use for decrypting the data |
|
Encrypted data
|
encryptedData | True | string |
Data to decrypt |
Returns
Result of decryption operation
- Body
- KeyDecryptOutput
Encrypt data with key
Encrypt data using the latest version of a key.
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Name of the key
|
keyName | True | string |
Name of the key. |
|
Algorithm
|
algorithm | True | string |
Algorithm to use for encrypting the data |
|
Raw data
|
rawData | True | string |
Data to encrypt |
Returns
Result of encryption operation
- Body
- KeyEncryptOutput
Encrypt data with key version
Encrypt data using a specific version of a key.
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Name of the key
|
keyName | True | string |
Name of the key. |
|
Version of the key
|
keyVersion | True | string |
Version of the key. |
|
Algorithm
|
algorithm | True | string |
Algorithm to use for encrypting the data |
|
Raw data
|
rawData | True | string |
Data to encrypt |
Returns
Result of encryption operation
- Body
- KeyEncryptOutput
Get key metadata
Gets metadata of a key.
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Name of the key
|
keyName | True | string |
Name of the key. |
Returns
Metadata of a key
- Body
- KeyMetadata
Get key version metadata
Gets metadata of a version of a key.
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Name of the key
|
keyName | True | string |
Name of the key. |
|
Version of the key
|
keyVersion | True | string |
Version of the key. |
Returns
Metadata of a key
- Body
- KeyMetadata
Get secret
Gets a secret. Output of this operation is typically classified as secret and can be visible in the run history.
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Name of the secret
|
secretName | True | string |
Name of the secret. |
Returns
The secret
- Body
- Secret
Get secret metadata
Gets metadata of a secret.
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Name of the secret
|
secretName | True | string |
Name of the secret. |
Returns
Metadata of a secret
- Body
- SecretMetadata
Get secret version
Gets a version of a secret. Output of this operation is typically classified as secret and can be visible in the run history.
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Name of the secret
|
secretName | True | string |
Name of the secret. |
|
Version of the secret
|
secretVersion | True | string |
Version of the secret. |
Returns
The secret
- Body
- Secret
Get secret version metadata
Gets metadata of a version of a secret.
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Name of the secret
|
secretName | True | string |
Name of the secret. |
|
Version of the secret
|
secretVersion | True | string |
Version of the secret. |
Returns
Metadata of a secret
- Body
- SecretMetadata
List key versions
List versions of a key.
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Name of the key
|
keyName | True | string |
Name of the key. |
Returns
Collection of keys
List keys
List secret versions
List versions of a secret.
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Name of the secret
|
secretName | True | string |
Name of the secret. |
Returns
Collection of secrets
List secrets
Definitions
KeyMetadataCollection
Collection of keys
| Name | Path | Type | Description |
|---|---|---|---|
|
value
|
value | array of KeyMetadata |
The keys |
|
continuationToken
|
continuationToken | string |
Continuation token |
KeyMetadata
Metadata of a key
| Name | Path | Type | Description |
|---|---|---|---|
|
name
|
name | string |
Name of the key |
|
version
|
version | string |
Version of the key |
|
isEnabled
|
isEnabled | boolean |
A flag indicating whether the key is enabled |
|
createdTime
|
createdTime | date-time |
Time when the key was created |
|
lastUpdatedTime
|
lastUpdatedTime | date-time |
Time when the key was last updated |
|
validityStartTime
|
validityStartTime | date-time |
Time when the key validity starts. |
|
validityEndTime
|
validityEndTime | date-time |
Time when the key validity ends. |
|
allowedOperations
|
allowedOperations | array of string |
Operations allowed using the key |
|
keyType
|
keyType | string |
Type of the key |
KeyEncryptOutput
Result of encryption operation
| Name | Path | Type | Description |
|---|---|---|---|
|
encryptedData
|
encryptedData | string |
Encrypted data |
KeyDecryptOutput
Result of decryption operation
| Name | Path | Type | Description |
|---|---|---|---|
|
rawData
|
rawData | string |
Raw data |
SecretMetadataCollection
Collection of secrets
| Name | Path | Type | Description |
|---|---|---|---|
|
value
|
value | array of SecretMetadata |
The secrets |
|
continuationToken
|
continuationToken | string |
Continuation token |
SecretMetadata
Metadata of a secret
| Name | Path | Type | Description |
|---|---|---|---|
|
name
|
name | string |
Name of the secret |
|
version
|
version | string |
Version of the secret |
|
contentType
|
contentType | string |
Content type of the secret |
|
isEnabled
|
isEnabled | boolean |
A flag indicating whether the secret is enabled |
|
createdTime
|
createdTime | date-time |
Time when the secret was created |
|
lastUpdatedTime
|
lastUpdatedTime | date-time |
Time when the secret was last updated |
|
validityStartTime
|
validityStartTime | date-time |
Time when the secret validity starts. |
|
validityEndTime
|
validityEndTime | date-time |
Time when the secret validity ends. |
Secret
The secret
| Name | Path | Type | Description |
|---|---|---|---|
|
value
|
value | string |
Value of the secret |
|
name
|
name | string |
Name of the secret |
|
version
|
version | string |
Version of the secret |
|
contentType
|
contentType | string |
Content type of the secret |
|
isEnabled
|
isEnabled | boolean |
A flag indicating whether the secret is enabled |
|
createdTime
|
createdTime | date-time |
Time when the secret was created |
|
lastUpdatedTime
|
lastUpdatedTime | date-time |
Time when the secret was last updated |
|
validityStartTime
|
validityStartTime | date-time |
Time when the secret validity starts. |
|
validityEndTime
|
validityEndTime | date-time |
Time when the secret validity ends. |