User Community Service Desk Downloads
If you can't find the product or version you're looking for, visit support.ataccama.com/downloads

Azure Active Directory Key Vault Authentication

Azure Active Directory (AAD) is Microsoft’s enterprise cloud-based identity and access management (IAM) solution. It can be used to authenticate to various data sources including Azure SQL Database, Azure Synapse Database, Databricks, and Snowflake.

Ataccama ONE Platform supports two types of AAD authentication: service principal with a secret and managed identity:

  • An AAD service principal authenticates using a client ID and a secret.

  • A managed identity is limited to one Azure virtual machine (VM) so that the client (that is, Data Processing Engine running on the same Azure VM) does not need to provide any other credentials to authenticate to a data source or key vault.

It is now possible to create a Secret Management Service using Azure Key Vault, and then retrieve credentials from this service when creating new datasource connections. We recommend using the Secret Management Service instead of changing the runtime configuration.

Azure Active Directory Key Vault

Key Vault is a cloud service that provides a secure store for keys, passwords, certificates, and other secrets. It is not another authentication method but rather a way of making sure your secrets for service principal or managed identity are stored in a very safe manner. You can refer to Key Vault service as explained in the following sections.

Key Vault service principal

The following runtime configuration properties are used to configure your DPE to authenticate using Azure Key Vault with AD service principal for JDBC connections. We recommend storing the client secret encrypted.

Runtime configuration
<properties>
    ata.jdbc.aad.keyvault.authType = AAD_CLIENT_CREDENTIAL
    ata.jdbc.aad.keyvault.clientId = <service principal client ID (UUID format)>
    <!-- ata.jdbc.aad.keyvault.clientSecret = <client secret to Key Vault> -->
    ata.jdbc.aad.keyvault.vaultUrl = <key vault URL (https://your-vault-name.vault.azure.net)>
    ata.jdbc.aad.keyvault.tenantId = <tenant ID of your subscription (UUID format)>
</properties>

<propertiesEncrypted>
    <property name="ata.jdbc.aad.keyvault.clientSecret" value="crypted:AES:encryptedValue"/>
</propertiesEncrypted>

Key Vault managed identity

The following runtime configuration properties are used to configure your Azure-based DPE to authenticate using Azure Key Vault with AD managed identity service for JDBC connections. The DPE instance needs to run on an Azure VM within one tenant and the managed identity needs to be configured for the VM in AAD.

Properties
ata.jdbc.aad.keyvault.authType = AAD_MANAGED_IDENTITY
ata.jdbc.aad.keyvault.vaultUrl = <key vault URL (https://your-vault-name.vault.azure.net)>
ata.jdbc.aad.keyvault.tenantId = <tenant ID of your subscription (UUID format)>

Was this page useful?