If the Azure Key Vault is rotating keys, how should apps get that information?

Question

I followed the instructions at https://docs.microsoft.com/en-us/azure/key-vault/secrets/overview-storage-keys-powershell to configure my Key Vault to manage keys for a storage account. When finished I was expecting to see an entry in the Key Vault (in either Keys or Secrets) for the storage account. But I didn't. So what's the point of having the Azure Key Vault manage the storage accounts access keys, if it doesn't provide a programmatic way to extract that information?

How is this supposed to work? I have a storage account that has two keys. I want to configure the Power BI service to be able to use those keys to access my storage, as well as Azure Data Factory to be able to copy the data to the storage account. What step am I missing?

Answer 1

Yes, I have tried this and I cannot see the those keys in Azure Key Vault.  I am checking this internally if this is by design and let you know of my findings.  

Also, do you want to access Azure Key Vault from PowerBI.  If so, it is not possible yet and I can see the below feedback in PowerBI feedback forum as well.

Answer 2

I guess given that I probably don't have a way to authorize "Power BI" as a service principal which could access the Storage Vault, it wouldn't work like how I was thinking it would anyway.

It looks like putting the key in the pbix file is best practice at this point.

Answer 3

Yes, that is correct.

Please let me know if you find above reply useful. If yes, do click on 'Mark as answer' link in above reply. This will help other community members facing similar query to refer to this solution. Thanks.