How to get Data Factory dynamic content from key vault secret

How to use Azure Key Vault secret in pipeline activities can be a bit tricky. But if you setup the right permission you are good to go. To use Key Vault Secrets In Data Factory there are two permissions that it is depended upon.

Key Vault Secret permissions

First you need the role-based access control model inside the Access control (IAM). Then assign the “Key Vault Secrets User” to your Data Factory.

Second is the vault access policy model where you need to set the Secret permissions.

You’ll only need the Get and List permissions for this particular case.

In Objects -> Secret create the secret you need if you haven’t already.

Key Vault Secret

For more details: https://spacetech.dk/azure-key-vault-does-not-have-secrets-get-permissions.html

Data Factory Pipeline

Go to your Data Factory pipeline you need to add your new secret to. Add a web activity. Go to settings and add your url.

{vaultBaseUrl}/secrets/{secret-name}/{secret-version}

# E.g.
# http://myurl.vault.azure.net/secrets/mySecret?api-version=7.0

The method is a Get, Authentication is System Assigned Managed Identify and Resource is “https://vault.azure.net”.

Now you are able to use your secret. To get it in the dynamic content use the activity

@{activity('Web1').output.value}

Microsoft general documentation for using Azure Key Vault secrets in pipeline activities https://learn.microsoft.com/en-us/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities