Azure Active Directory Key Vault Authentication
Azure Active Directory is Microsoft’s enterprise cloud-based identity and access management (IAM) solution. It can be used to authenticate to various data sources incl.: Azure SQL Database, Azure Synapse Database, Databricks, and Snowflake.
Ataccama ONE Platform supports two types of AAD authentication: Service Principal with a secret and Managed Identity:
-
AAD Service Principal authenticates using a
client ID
and asecret
. -
Managed Identity is limited to one Azure virtual machine so that the client (i.e. DPE running on the same Azure VM) does not need to provide any other credentials to authenticate to a data source or key vault.
Azure Active Directory Key Vault
Key Vault is a cloud service that provides a secure store for keys, passwords, certificates and other secrets. It is not another authentication method but rather a way how to make sure your secrets for Service Principal or Managed Identity are stored in a very safe manner. You can refer to Key Vault service in the following ways:
Key Vault Service Principal
The following Runtime Configuration properties are used to configure your DPE to authenticate using Azure Key Vault with Active Directory Service Principal for JDBC connections. It is recommended to store the client secret in the <properties encrypted> section.
<properties>
ata.jdbc.aad.keyvault.authType = AAD_CLIENT_CREDENTIAL
ata.jdbc.aad.keyvault.clientId = <Service Principal client ID (UUID format)>
<!-- ata.jdbc.aad.keyvault.clientSecret = <client secret to Key Vault> -->
ata.jdbc.aad.keyvault.vaultUrl = <key vault URL (https://your-vault-name.vault.azure.net)>
ata.jdbc.aad.keyvault.tenantId = <tenant ID of your subscription (UUID format)>
</properties>
<propertiesEncrypted>
<property name="ata.jdbc.aad.keyvault.clientSecret" value="crypted:AES:encryptedValue"/>
</propertiesEncrypted>
Key Vault Managed Identity
The following Runtime Configuration properties are used to configure your Azure-based DPE to authenticate using Azure Key Vault with Active Directory Managed Identity service for JDBC connections. The DPE instance needs to run on an Azure VM within one tenant and Managed Identity needs to be configured for the VM in Azure Active Directory.
ata.jdbc.aad.keyvault.authType = AAD_MANAGED_IDENTITY
ata.jdbc.aad.keyvault.vaultUrl = <key vault URL (https://your-vault-name.vault.azure.net)>
ata.jdbc.aad.keyvault.tenantId = <tenant ID of your subscription (UUID format)>
Was this page useful?