Access Azure Key Vault from PowerAutomate

/ 2 weeks ago March 11, 2023

Azure Key Vault is a cloud-based service provided by Microsoft that allows you to store and manage cryptographic keys, certificates, and secrets used in your applications. It provides a secure and centralized way to manage your application secrets and keys.

Power Automate, on the other hand, is a cloud-based service provided by Microsoft that allows you to create automated workflows to simplify repetitive tasks and business processes.

In this blog, we will explore how to access Azure Key Vault from Power Automate and how you can use it to automate tasks.

There are two options to get this working, I will share both options with screenshots:

  1. Utilize Azure Keyvault Premium Connector.
  2. Utilize HTTP premium connector.

Question will come to your mind why you need 2nd approach of HTTP connector when Azure KeyVault Premium connector is available.

Difference comes when you are using instant flows, following first approach i.e., utilizing Azure KeyVault premium connector, every user utilizing the instant flow will need a premium license whereas with HTTP premium connector it is not required, as it does not run under user context so only owner will need a Premium license.

Here is Microsoft excerpt about the HTTP connector:


Reference: Frequently asked questions about Power Automate licensing

Here is how you can use premium AZURE key Vault connector

Use Get Secret activity from Azure KeyVault, authenticate to AzureKeyVault (account just needs get secret rights in access policy on keyvault as you can see below)


Here is the PowerAutomate Screenshot to show the whole flow, please make sure you go to activity settings and do secure inputs/outputs on get secret and secure inputs on other connector that is utilizing secret value from the KeyVault. In below case I am utilizing the secret value in http connector.


Approach number 2, utilize HTTP connector to fetch the secret and then utilize in another connector or http connector to call some other API.

First register the AZUREAD APP with permission as user_impersonation from Azure Key Vault API.


You can use client secret or client certificate; we have used certificate.

Now provide this APP secret read permission in access policy on the KeyVault as shown previously.

Here is the screen shot for HTTP connector

URI: uri of the secret

Important part is to add-> ?api-version=7.3 at the end of secret uri.

Audience should be https://vault.azure.net


Certificate value should be in base 64 and then password of the certificate to be added.

How to convert the certificate to base64 value:

$fileContent = get-content ‘C:\temp\cert.pfx’ -Encoding Byte [System.Convert]::ToBase64String($fileContentBytes)

$fileContent | Out-File ‘c:\temp\pfxbase64.txt’

Next step is to parse the output utilizing parse JSON activity


Note: Do not forget to secure the Inputs/outputs on activity settings so that secret is not revealed in flow run logs.


These are the two methods that you can utilize in PowerAutomate to get secrets securely out of KeyVault and use them further in PowerAutomate.

 

Thanks for reading…

Tech Wizard

 

https://techwizard.cloud

https://syscloudpro.com/

PowerShell Fast Track

 

Advertisement

Related posts

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s