When attempting to add a connection from a Microsoft Azure Data Factory (ADF) to an Azure Key Vault I received the below message when trying to select a secret.
The user, group or application ‘name=Microsoft.DataFactory/factories;appid=xyz;iss=https://sts.windows.net/xyc’ does not have secrets list permission on key vault ‘xyz:location=uksouth’. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287 Activity ID: 544adcb6-fbe7-473a-b39e-ceb16e69af07
As the message states the problem is the Data Factory does not have the permission “LIST Secrets” to the Key Vault. Also to actually be able to use the keys from the key vault the permission “GET Secrets” permission is also required.
Below I will detail how to give your Data Factory the required permissions to a Key Vault.
- Login to your Azure admin portal – https://portal.azure.com
- Browse to you Key Vault resource.
- Under Settings on the left select Access Polices
- Click Add Access Policy
- Under the Secret permissions dropdown tick the permissions GET and LIST
- Click the None selected link to the right of Select principal
- Search for the name of you Azure Data Factory and click it to add it to the Select items list at the bottom.
- Click the Add button on the Add access policy screen to add your new policy giving you Data Factory the permissions list and get secrests
- You will now be taken back you. the Access policies screen. You will see your newly created policy. Click Save at the top
- Your Azure Data Factory will now be able to use secrets from your Azure Key Vault.