How to get Data Factory dynamic content from key vault secret

How to use Azure Key Vault secret in pipeline activities can be a bit tricky. But if you setup the right permission you are good to go. To use Key Vault Secrets In Data Factory there are two permissions that it is depended upon.

Key Vault Secret permissions

First you need the role-based access control model inside the Access control (IAM). Then assign the “Key Vault Secrets User” to your Data Factory.

How to get Data Factory dynamic content from key vault secret

Second is the vault access policy model where you need to set the Secret permissions.

You’ll only need the Get and List permissions for this particular case.

How to get Data Factory dynamic content from key vault secret

In Objects -> Secret create the secret you need if you haven’t already.

Key Vault Secret

For more details: https://spacetech.dk/azure-key-vault-does-not-have-secrets-get-permissions.html

Data Factory Pipeline

Go to your Data Factory pipeline you need to add your new secret to. Add a web activity. Go to settings and add your url.

{vaultBaseUrl}/secrets/{secret-name}/{secret-version}

# E.g.
# http://myurl.vault.azure.net/secrets/mySecret?api-version=7.0

The method is a Get, Authentication is System Assigned Managed Identify and Resource is “https://vault.azure.net”.

How to get Data Factory dynamic content from key vault secret

Now you are able to use your secret. To get it in the dynamic content use the activity

@{activity('Web1').output.value}
How to get Data Factory dynamic content from key vault secret

Microsoft general documentation for using Azure Key Vault secrets in pipeline activities https://learn.microsoft.com/en-us/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities