Skip to main content
Solved

Runtime server / ONE Desktop connection to Azure Keyvault

  • September 5, 2024
  • 6 replies
  • 81 views
may_kwok
Star Blazer L3
Forum|alt.badge.img+4

I have a use case where I want to store some client id and secret in my own company’s Azure keyvault.

Then I have a component which needs to use the client id and secret to authenticate against a 3rd party, so I can issue a GET call to get some data.

 

So I am thinking:

  1. Runtime server authenticate against keyvault
  2. Runtime server issue a “get secret” call to keyvault
  3. Keyvault sends back the secret
  4. Runtime server takes the secret and authenticate against 3rd party
  5. Runtime server issue a “get data” call to 3rd party
  6. 3rd party sends me back the actual data

 

What authentication methods from runtime server to keyvault are supported? I had a look at Azure keyvault’s documentation but I don’t think I understand it fully. https://learn.microsoft.com/en-us/azure/key-vault/general/authentication

 

Has anybody else done it? What’s your experience?

Best answer by AKislyakov

Hi @maykwok_hamilton,

The only supported authentication options for URL resources in Runtime Server are: Basic, Open ID Connect (with client/secret) and mTLS. The Secret Manager you mentioned is only applicable for One Gen2 sources.

Can’t speak for any authentication method, but for OAuth2 there is an option to send client_id/client_secret via Basic auth header.
So, your first call will look like following (these are connections ##2 and 3 on your diagram, but they go to Microsoft OAuth):

with an Url Resource configured like this

<url name="EntraApiToken" url="https://login.microsoftonline.com/<TENANT>/oauth2/v2.0/token">
    <authConfig user="<CLIENT_ID>" password="<CLIENT_SECRET>" class="com.ataccama.dqc.processor.bin.config.auth.BasicAuthConfig"/>
</url>

 

View original
Did this topic help you find an answer to your question?

6 replies

may_kwok
Star Blazer L3
Forum|alt.badge.img+4
  • may_kwokStar Blazer L3
  • Author
  • Star Blazer L3
  • 82 replies
  • September 5, 2024

We found this in the docs:

Secret Management Services :: Ataccama ONE

But it looks like it’s only available in ONE, not in runtime server. And that this is v15. We are still on v14 right now.

Any chance this could be available in runtime server at some point?

 

( cc @Scott Barden @DannyRyan )

may_kwok
Star Blazer L3
Forum|alt.badge.img+4
  • may_kwokStar Blazer L3
  • Author
  • Star Blazer L3
  • 82 replies
  • September 9, 2024

I drew a diagram hoping to make it clearer 

If someone from Ataccama has any comments it would be greatly appreciated!

may_kwok
Star Blazer L3
Forum|alt.badge.img+4
  • may_kwokStar Blazer L3
  • Author
  • Star Blazer L3
  • 82 replies
  • September 17, 2024

Anyone has any ideas?

I suppose this actually extends beyond keyvault. What if when you need to do OAuth / any authentication method that goes beyond the simple username/password or client_id/client_secret, short of storing the creds in plain text in a json call step (or passing as parameters from .ewf or .sch, but it’ll still be on plain text in git project), what other options do I have?

(Cheekily tagging @AKislyakov - have you had to deal with something like this before?)

A
Ataccamer
Forum|alt.badge.img+2
  • AKislyakovAtaccamer
  • Ataccamer
  • 146 replies
  • Answer
  • September 18, 2024

Hi @maykwok_hamilton,

The only supported authentication options for URL resources in Runtime Server are: Basic, Open ID Connect (with client/secret) and mTLS. The Secret Manager you mentioned is only applicable for One Gen2 sources.

Can’t speak for any authentication method, but for OAuth2 there is an option to send client_id/client_secret via Basic auth header.
So, your first call will look like following (these are connections ##2 and 3 on your diagram, but they go to Microsoft OAuth):

with an Url Resource configured like this

<url name="EntraApiToken" url="https://login.microsoftonline.com/<TENANT>/oauth2/v2.0/token">
    <authConfig user="<CLIENT_ID>" password="<CLIENT_SECRET>" class="com.ataccama.dqc.processor.bin.config.auth.BasicAuthConfig"/>
</url>

 

Cansu
1 person likes this
  • Cansu
    Cansu
may_kwok
Star Blazer L3
Forum|alt.badge.img+4
  • may_kwokStar Blazer L3
  • Author
  • Star Blazer L3
  • 82 replies
  • September 18, 2024

Ooh this is one combination I haven't tried. Going to give it a go today, thank you!

Cansu
1 person likes this
  • Cansu
    Cansu
may_kwok
Star Blazer L3
Forum|alt.badge.img+4
  • may_kwokStar Blazer L3
  • Author
  • Star Blazer L3
  • 82 replies
  • September 19, 2024

Yes, it worked! Thanks @AKislyakov !

Cansu
1 person likes this
  • Cansu
    Cansu

Reply


Most Liked this week

Community Terms of Use & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings