Lead your team forward
OCT 24 / 9AM ET Register nowAzure Active Directory Key Vault Authentication
Azure Active Directory (AAD) is Microsoft’s enterprise cloud-based identity and access management (IAM) solution. It can be used to authenticate to various data sources including Azure SQL Database, Azure Synapse Database, Databricks, and Snowflake.
Ataccama ONE Platform supports two types of AAD authentication: service principal with a secret and managed identity:
-
An AAD service principal authenticates using a
client ID
and asecret
. -
A managed identity is limited to one Azure virtual machine (VM) so that the client (that is, Data Processing Engine running on the same Azure VM) does not need to provide any other credentials to authenticate to a data source or key vault.
It is now possible to create a Secret Management Service using Azure Key Vault, and then retrieve credentials from this service when creating new datasource connections. We recommend using the Secret Management Service instead of changing the runtime configuration. |
Azure Active Directory Key Vault
Key Vault is a cloud service that provides a secure store for keys, passwords, certificates, and other secrets. It is not another authentication method but rather a way of making sure your secrets for service principal or managed identity are stored in a very safe manner. You can refer to Key Vault service as explained in the following sections.
Key Vault service principal
The following runtime configuration properties are used to configure your DPE to authenticate using Azure Key Vault with AD service principal for JDBC connections. We recommend storing the client secret encrypted.
<properties>
ata.jdbc.aad.keyvault.authType = AAD_CLIENT_CREDENTIAL
ata.jdbc.aad.keyvault.clientId = <service principal client ID (UUID format)>
<!-- ata.jdbc.aad.keyvault.clientSecret = <client secret to Key Vault> -->
ata.jdbc.aad.keyvault.vaultUrl = <key vault URL (https://your-vault-name.vault.azure.net)>
ata.jdbc.aad.keyvault.tenantId = <tenant ID of your subscription (UUID format)>
</properties>
<propertiesEncrypted>
<property name="ata.jdbc.aad.keyvault.clientSecret" value="crypted:AES:encryptedValue"/>
</propertiesEncrypted>
Key Vault managed identity
The following runtime configuration properties are used to configure your Azure-based DPE to authenticate using Azure Key Vault with AD managed identity service for JDBC connections. The DPE instance needs to run on an Azure VM within one tenant and the managed identity needs to be configured for the VM in AAD.
ata.jdbc.aad.keyvault.authType = AAD_MANAGED_IDENTITY
ata.jdbc.aad.keyvault.vaultUrl = <key vault URL (https://your-vault-name.vault.azure.net)>
ata.jdbc.aad.keyvault.tenantId = <tenant ID of your subscription (UUID format)>
Was this page useful?