Azure Key Vault is a cloud-based service provided by Microsoft that allows you to store and manage cryptographic keys, certificates, and secrets used in your applications. It provides a secure and centralized way to manage your application secrets and keys.
Power Automate, on the other hand, is a cloud-based service provided by Microsoft that allows you to create automated workflows to simplify repetitive tasks and business processes.
In this blog, we will explore how to access Azure Key Vault from Power Automate and how you can use it to automate tasks.
There are two options to get this working, I will share both options with screenshots:
- Utilize Azure Keyvault Premium Connector.
- Utilize HTTP premium connector.
Question will come to your mind why you need 2nd approach of HTTP connector when Azure KeyVault Premium connector is available.
Difference comes when you are using instant flows, following first approach i.e., utilizing Azure KeyVault premium connector, every user utilizing the instant flow will need a premium license whereas with HTTP premium connector it is not required, as it does not run under user context so only owner will need a Premium license.
Here is Microsoft excerpt about the HTTP connector:
Reference: Frequently asked questions about Power Automate licensing
Here is how you can use premium AZURE key Vault connector
Use Get Secret activity from Azure KeyVault, authenticate to AzureKeyVault (account just needs get secret rights in access policy on keyvault as you can see below)
Here is the PowerAutomate Screenshot to show the whole flow, please make sure you go to activity settings and do secure inputs/outputs on get secret and secure inputs on other connector that is utilizing secret value from the KeyVault. In below case I am utilizing the secret value in http connector.
Approach number 2, utilize HTTP connector to fetch the secret and then utilize in another connector or http connector to call some other API.
First register the AZUREAD APP with permission as user_impersonation from Azure Key Vault API.
You can use client secret or client certificate; we have used certificate.
Now provide this APP secret read permission in access policy on the KeyVault as shown previously.
Here is the screen shot for HTTP connector
URI: uri of the secret
Important part is to add-> ?api-version=7.3 at the end of secret uri.
Audience should be https://vault.azure.net
Certificate value should be in base 64 and then password of the certificate to be added.
How to convert the certificate to base64 value:
$fileContent = get-content ‘C:\temp\cert.pfx’ -Encoding Byte [System.Convert]::ToBase64String($fileContentBytes)
$fileContent | Out-File ‘c:\temp\pfxbase64.txt’
Next step is to parse the output utilizing parse JSON activity
Note: Do not forget to secure the Inputs/outputs on activity settings so that secret is not revealed in flow run logs.
These are the two methods that you can utilize in PowerAutomate to get secrets securely out of KeyVault and use them further in PowerAutomate.
Thanks for reading…