USER MANUALS

Azure Key Vault

Virtual DataPort provides support to obtain credentials from Azure Key Vaults using the following authentication methods:

  • Client certificate. Connects with the Credentials Vault using client certificates.

  • Client secret. Connects with the Credentials Vault using a client secret.

  • Environment variables. Connects with the Credentials Vault using system environment variables. No credentials are required by configuration.

  • System managed. Connects with the Credentials Vault using managed authentication. No credentials are required by configuration.

  • User managed. Connects with the Credentials Vault using authentication with a managed user. No credentials are required by configuration.

Client Certificate

This mode requires client certificates for connecting with the Credentials Vault. Supported formats are PEM and PFX or PKCS#12.

Enabling Azure Key Vault with PKCS#12 certificate

You have to provide the following data:

  • Key vault URI: this is the URI for the target Key vault. It is specified by Azure at the Key vault “Overview” section.

  • Proxy (optional): proxy configuration if required.

  • Tenant id: this is the tenant identifier of the Azure account.

  • Client id: this is the client identifier of the Azure application used for the access.

  • Certificate format: this is the certificate format.

  • Client certificate (private key): this is the file that contains the key used for authenticating with the Credentials Vault.

    • Password: the password for the file containing the Client certificate (for PFX/PKCS#12 format).

Click Ok for applying changes.

Client Secret

This mode requires a client secret for connecting with the Credentials Vault.

Enabling Azure Key Vault with client secret

You have to provide the following data:

  • Key vault URI: this is the URI for the target Key vault. It is specified by Azure at the Key vault “Overview” section.

  • Proxy (optional): proxy configuration if required.

  • Tenant id: this is the tenant identifier of the Azure account.

  • Client id: this is the client identifier of the Azure application used for the access.

  • Client secret: this is the client secret of the Azure application used for the access.

Click Ok for applying changes.

Environment Variables

This mode reads authentication credentials from environment variables using the Azure SDK.

No credentials are required by Virtual DataPort.

Enabling Azure Key Vault with environment variables

You have to provide the following data:

  • Key vault URI: this is the URI for the target Key vault. It is specified by Azure at the Key vault “Overview” section.

  • Proxy (optional): proxy configuration if required.

Click Ok for applying changes.

Environment variables expected by Azure SDK are (see more at EnvironmentCredential Class):

  • AZURE_CLIENT_ID

  • AZURE_CLIENT_SECRET

  • AZURE_TENANT_ID

or:

  • AZURE_CLIENT_ID

  • AZURE_CLIENT_CERTIFICATE_PATH

  • AZURE_TENANT_ID

or:

  • AZURE_CLIENT_ID

  • AZURE_USERNAME

  • AZURE_PASSWORD

System Managed

This mode authenticates using the managed identity from the service instance where Virtual DataPort is running. Note that the service instance must have enough privileges for accessing the Key vault.

No credentials are required by Virtual DataPort.

Enabling Azure Key Vault with system managed

You have to provide the following data:

  • Key vault URI: this is the URI for the target Key vault. It is specified by Azure at the Key vault “Overview” section.

  • Proxy (optional): proxy configuration if required.

Click Ok for applying changes.

User Managed

This mode authenticates using a user-assigned managed identity assigned to the Azure service where Virtual DataPort is running. Note that the managed user-assigned managed identity must have enough privileges for accessing the Key vault and the Azure service being able to use it for request authentication tokens.

No credentials are required by Virtual DataPort.

Enabling Azure Key Vault with user managed

You have to provide the following data:

  • Key vault URI: this is the URI for the target Key vault. It is specified by Azure at the Key vault “Overview” section.

  • Proxy (optional): proxy configuration if required.

  • Client id: this is the client identifier of the user-assigned managed identity. It is specified at the managed identity view, “Overview” section.

Click Ok for applying changes.

Naming Convention for Azure Key Vault

Azure Key Vault stores secrets as plain values. Therefore, for configuring the authentication of a data source using Azure Key Vault, more than one secret could be required (one secret per field). For example, you have to create these two secrets in Azure Key Vault:

"oracle-user" = "my-oracle-login"
"oracle-pwd"  = "my-oracle-secure-password"

Using Azure Key Vault both secrets must be used at data source authentication. The image below shows how to put those values.

JDBC Data Source using secret per field

With previous configuration Login and Password values will be retrieved from Azure Key Vault. No credentials are stored at Virtual DataPort metadata.

Note

A secret is not mandatory for both fields.

It could be possible that only one of the fields is stored at the Key Vault. We can configure if the field comes from the Key Vault or given value is the real one using the check box From vault.

For example, we can access the Key Vault only for retrieving the Password with the configuration below. Note that Login field has the real value my-oracle-login and the check box From vault is unchecked.

JDBC Data Source using secret per field

With previous configuration only Login credential is stored at Virtual DataPort metadata.

Add feedback