ONE Desktop ONE DQG ONE MDM ONE RDM ONE Runtime Server
latest (15.1.0) 14.5.x 13.9.x 13.8.x 13.7.x 13.6.x 13.5.0 13.4.x 13.3.x 13.2.x
User Community Service Desk Downloads
If you can't find the product or version you're looking for, visit support.ataccama.com/downloads

Azure Active Directory Key Vault Authentication

Azure Active Directory is Microsoft’s enterprise cloud-based identity and access management (IAM) solution. It can be used to authenticate to various data sources incl.: Azure SQL Database, Azure Synapse Database, Databricks, and Snowflake.

Ataccama ONE Platform supports two types of AAD authentication: Service Principal with a secret and Managed Identity:

  • AAD Service Principal authenticates using a client ID and a secret.

  • Managed Identity is limited to one Azure virtual machine so that the client (i.e. DPE running on the same Azure VM) does not need to provide any other credentials to authenticate to a data source or key vault.

Azure Active Directory Key Vault

Key Vault is a cloud service that provides a secure store for keys, passwords, certificates and other secrets. It is not another authentication method but rather a way how to make sure your secrets for Service Principal or Managed Identity are stored in a very safe manner. You can refer to Key Vault service in the following ways:

Key Vault Service Principal

The following Runtime Configuration properties are used to configure your DPE to authenticate using Azure Key Vault with Active Directory Service Principal for JDBC connections. It is recommended to store the client secret in the <properties encrypted> section.

Key Vault Service Principal
<properties>
    ata.jdbc.aad.keyvault.authType = AAD_CLIENT_CREDENTIAL
    ata.jdbc.aad.keyvault.clientId = <Service Principal client ID (UUID format)>
    <!-- ata.jdbc.aad.keyvault.clientSecret = <client secret to Key Vault> -->
    ata.jdbc.aad.keyvault.vaultUrl = <key vault URL (https://your-vault-name.vault.azure.net)>
    ata.jdbc.aad.keyvault.tenantId = <tenant ID of your subscription (UUID format)>
</properties>

<propertiesEncrypted>
    <property name="ata.jdbc.aad.keyvault.clientSecret" value="crypted:AES:encryptedValue"/>
</propertiesEncrypted>

Key Vault Managed Identity

The following Runtime Configuration properties are used to configure your Azure-based DPE to authenticate using Azure Key Vault with Active Directory Managed Identity service for JDBC connections. The DPE instance needs to run on an Azure VM within one tenant and Managed Identity needs to be configured for the VM in Azure Active Directory.

Key Vault Managed Identity
ata.jdbc.aad.keyvault.authType = AAD_MANAGED_IDENTITY
ata.jdbc.aad.keyvault.vaultUrl = <key vault URL (https://your-vault-name.vault.azure.net)>
ata.jdbc.aad.keyvault.tenantId = <tenant ID of your subscription (UUID format)>

Was this page useful?