none
Accessing a Key Vault Managed Storage Account with Data Factory v2

    Question

  • Hello, I am attempting to create a DF v2 Linked Service to a KV Managed Storage Account and I am having issues with the key refreshes. It seems that the KV Managed Storage Account doesn't make its keys available nor does it make a SAS URI available. It only makes the SAS token itself. 

    As I am not sure when the key refreshes occur, I don't know if I can use automation to update a SAS URI secret in the KV. Is the only option to remove automatic key refreshes and handle that on using custom automation?

    Any help would be great,

    Thanks.

    Wednesday, July 18, 2018 2:16 PM

All replies

  • Hello,

    You can specify how often automatic key refreshing happens as outlined here:

    https://docs.microsoft.com/en-us/azure/key-vault/key-vault-ovw-storage-keys#key-regeneration

    I think you are correct in saying only the token is made available in KV, so if you are trying to access a particular container in your storage account with the a SAS URI, you need to supply the refreshed SAS token.  

    As it stands today I do not see a way to create a linked service with an automatically refreshing SAS token from KV.  It appears ADF linked services can only use Storage Account keys from KV, and not SAS URIs from KV.

    If it makes sense in your particular scenario, you could simply automatically rotate the Storage Account keys and create a linked service in ADF to use KV with the Storage Account keys and not SAS.

    In addition to Azure documentation, I found this article helpful in implementing automatic Storage Account key rotation:

    http://www.wahidsaleemi.com/2017/08/azure-storage-account-keys-automatic-rotation/

    Wednesday, August 1, 2018 11:01 PM
    Moderator