| title | Use Azure Key Vault secrets in pipeline activities |
|---|---|
| description | Learn how to fetch stored credentials from Azure Key Vault and use them during data factory pipeline runs. |
| author | nabhishek |
| ms.author | abnarain |
| ms.subservice | security |
| ms.topic | how-to |
| ms.date | 02/13/2025 |
| ms.custom | sfi-image-nochange |
[!INCLUDEappliesto-adf-asa-md]
You can store credentials or secret values in an Azure Key Vault and use them during pipeline execution to pass to your activities.
This feature relies on the data factory managed identity. Learn how it works from Managed identity for Data Factory and make sure your data factory has one associated.
-
Open the properties of your data factory and copy the Managed Identity Application ID value.
:::image type="content" source="media/how-to-use-azure-key-vault-secrets-pipeline-activities/managedidentity.png" alt-text="Managed Identity Value":::
-
Open the key vault access policies and add the managed identity permissions to Get and List secrets.
:::image type="content" source="media/how-to-use-azure-key-vault-secrets-pipeline-activities/akvaccesspolicies.png" alt-text="Screenshot that shows the "Access policies" page with the "Add Access Policy" action highlighted.":::
:::image type="content" source="media/how-to-use-azure-key-vault-secrets-pipeline-activities/akvaccesspolicies-2.png" alt-text="Key Vault access policies":::
Click Add, then click Save.
-
Navigate to your Key Vault secret and copy the Secret Identifier.
:::image type="content" source="media/how-to-use-azure-key-vault-secrets-pipeline-activities/secretidentifier.png" alt-text="Secret Identifier":::
Make a note of your secret URI that you want to get during your data factory pipeline run.
[!CAUTION] The secret URI is structured like this:
{vaultBaseUrl}/secrets/{secret-name}/{secret-version}. The secret-version is optional; the latest version is returned when not specified. It is often desirable to specify a secret URI in a pipeline without a specific version so that the pipeline always uses the latest version of the secret. -
In your Data Factory pipeline, add a new Web activity and configure it as follows.
Property Value Secure Output True URL [Your secret URI value]?api-version=7.5 Method GET Authentication System Assigned Managed Identity Resource https://vault.azure.net :::image type="content" source="media/how-to-use-azure-key-vault-secrets-pipeline-activities/webactivity.png" alt-text="Web activity":::
[!IMPORTANT] You must add ?api-version=7.5 to the end of your secret URI.
[!CAUTION] Set the Secure Output option to true to prevent the secret value from being logged in plain text. Any further activities that consume this value should have their Secure Input option set to true.
-
To use the value in another activity, use the following code expression @activity('Web1').output.value.
:::image type="content" source="media/how-to-use-azure-key-vault-secrets-pipeline-activities/usewebactivity.png" alt-text="Code expression":::
To learn how to use Azure Key Vault to store credentials for data stores and computes, see Store credentials in Azure Key Vault