Sensitive Information Management in Azure Data Factory

Azure Key Vaults

In certain BimlFlex solutions there are properties that get stored in Azure Key Vaults (AKV) for security purposes. AKV is a cloud service that provides secure storage for sensitive information. Users can securely store keys, passwords, certificates, and other secrets. AKVs may be created and managed through the Azure Portal.

Auto-Generated Key Vaults

If the user does not supply an AKV name in the project settings, BimlFlex will generate an AKV for the user. The AKV will be named with the following naming pattern:

AKV-{Random Hash}

This name is regenerated on each build, so it is highly recommended to use a named Key Vault to allow the secrets to be maintained in a single persistent Key Vault.

AzureKeyVault Property

The name of the AKV that will be used by your project is determined by the AzureKeyVault property value in your BimlFlex settings. If you do not populate the AzureKeyVault setting in your project, a new AKV will be generated each time the project runs. This is typically undesired. Once you have auto-generated the AKV for the first time, the user should use this AKV name for the AzureKeyVault setting, so that this AKV is used going forward.

Extension Points

Users can also utilize BimlFlex Extension Points, in the event that the project need to access secrets that are not generated by BimlFlex. An example of an AKV extension point is provided below:

<#@ extension bundle="BimlFlex.bimlb" extensionpoint="AdfAzureKeyVault" #>

<AzureKeyVault Name="BimlFlexKeyVault1" Url="https://<azureKeyVaultName1>.vault.azure.net"></AzureKeyVault>
<AzureKeyVault Name="BimlFlexKeyVault2" Url="https://<azureKeyVaultName2>.vault.azure.net"></AzureKeyVault>