How to use KeyVault secret for Logic App SQL Connection String - sql-server

I have a Azure Logic App, which is connecting to the SQL Server Database. Currently I am saving the connection string in configurations section of the logic app.
I am planning to use the azure keyvault and get the connection string from there.
I have gone through the online articles which tells about the keyvault connector. but I am not looking for that.
I want to use the Keyvault secret for my sql server connections in the Azure Logic App.
I have also tried with the SQL GetRows as you can see below but I don't see any connection string textbox, where I can use the GetSecret Action Result

As #Skin mentioned You can use Azure Key Vault's Get Secret action in your case. For this search for Azure Key Vault Connector and select Get secret action.
Now you need to establish a connection to your Key Vault by providing your Vault name and Tenant.
Then select the secret that you want to retrieve
After you run the logic app you can see the value that got stored in your key vault.
In Vault:-

The connection strings are saved as application settings of the Logic App.
Change connection string in configuration
There you can edit the app setting related to your connection string (sql_connectionString in my case) with #Microsoft.KeyVault(SecretUri=<keyvault name>.vault.azure.net/secrets/<name of your secret>) or optionally #Microsoft.KeyVault(SecretUri=<keyvault name>.vault.azure.net/secrets/<name of your secret>/<version>).
Once you save your application settings, you will see a green check and Key vault Reference in the source column of your application setting.
Key vault Reference

Related

How do I connect to Azure SQL from an Azure function using a managed identity (no credentials in connection string)?

I have an Azure Function app, written in C# and using .NET Core (3.x) running on Linux. I would like this set of functions to be able to connect to an Azure SQL database. I have followed this process:
I ensured that the function app has system-assigned managed identity enabled:
I created a user in my database using CREATE USER ... FROM EXTERNAL PROVIDER and added the user to the appropriate roles (db_datareader and db_datawriter in my case). In my case, I had to create an Azure AD group and add the managed identity to the group, and then create the user for the group (there were two AD identities with the name of the function app, for some reason...).
I set up the connection string in the function app's settings. This is where I think I've gone wrong. I am not clear on how to specify the correct connection string. Connection strings I tried:
Data Source=my-database-server.database.windows.net;Initial Catalog=my-database did not work. I saw errors such as this: Login failed for user ''.
Data Source=my-database-server.database.windows.net;Initial Catalog=my-database;Authentication=Active Directory Integrated (using System.Data.SqlClient) did not work. I saw errors such as this: Keyword not supported: 'authentication'.
Data Source=my-database-server.database.windows.net;Initial Catalog=my-database;Authentication=Active Directory Integrated (using Microsoft.Data.SqlClient) I saw errors such as this: MSAL cannot determine the username (UPN) of the currently logged in user.
What is the magic connection string incantation, or step that I am missing?
Use Microsoft.Data.SqlClient instead of System.Data.SqlClient if getting Keyword not supported: 'authentication'
More details on various values for authentication= and suppported library versions can be found here:
https://learn.microsoft.com/en-us/sql/connect/ado-net/sql/azure-active-directory-authentication?view=sql-server-ver16#setting-azure-active-directory-authentication
I can't claim any credit for this solution, I found it on reddit of all places!

I keep receiving an error while trying to load data to Azure DataBase using Azure Function

I created an Azure Function to load data from Eudonet CRM to my Azure SQL Database. I have two databases :
named Datawarehouse
named Datawarehouse-Dev
Both databases are identical and are in the same server.
When I load data directly to "Datawarehouse" the copy works fine, but when I change the database name to "Datawarehouse-Dev", I receive the following errors :
Index #0 Message: Login failed for user 'AzureFunction'. LineNumber: 65536 Source: Core .Net SqlClient Data Provider Procedure: Error Code:18456
-- Sql server error. If error code <17: => check sql transac code (user error). Else: => software or hardware errors (check availability of database)
Login failed for user 'AzureFunction'.
If anyone has an idea on where the problem could come from I would be very grateful and I also don't understand why there is an authentification error since they're both in the same server and are accessed with the same user/password.
Thanks in advance
Though #adnane already resolved the issue after using the connection string directly into Function application setting instead of storing it into Vault. This approach might compromise the application security because using connection string directly might expose it to unauthorized person.
Azure Key Vault is a good place to keep our application credentials in a secured and centralized manner. Moving the secrets to Key Vault becomes even more important while our Azure solution is growing.
In case, if anyone still looking for the solution by storing the connection string in Azure Key Vault and then using it in the Function, please follow the below steps.
Firstly, open the Azure Key Vault service and from the Settings menu select Access policies. Then select + Add new access policy.
Then choose Select principal and search for the name of the Function App as shown in below example.
Once your principal is selected choose the Secret permissions menu. In this case, we’ll only need to get the secret from the Key Vault (concretely read our connection string). Therefore, check Get permission only and then select OK.
At the end, select Save to store the new functionapp-demo-mw access policy.
ADDING SECRET TO AZURE KEY VAULT
Adding a secret to Azure Key Vault is straightforward. From the Key Vault, Settings menu select Secrets and then select + Generate/Import secret.
For Key Vault secret two values are required – name and the value. In this case we’ve called our secret OrderManagementDbConnectionString and as a value we put our SQL Database connection string. Select Create to save the secret.
By default, the secret is Enabled so it’s ready to use. Once the secret is created, we’ll need to get its URI (a unique location identifying the secret). Go to the Settings menu and select Secrets. We’ll find here our recently added secret (OrderManagementDbConnectionString). Select the secret and we’ll see it’s the only version in the list.
Select the current version of secret and copy its secret identifier. The identifier is an URI with pattern : https://<url_of_the_key_value>/<secret_name>/<secret_version>.
GETTING SECRET FROM KEY VAULT IN AZURE FUNCTION APP
Go back to the Azure Function App (functionapp-demo-mw) and on the Overview tab, select Configuration in Configured featured section.
Well, Select + New application settings. Put a name that describes the new setting (we’ve put OrderManagementConnectionString). At the end of the last year, Microsoft has added an option of sourcing Key Vault secrets directly from App Settings. This simplifies a lot the way how the secrets were used before. So, set the value of the setting to a secret reference in the following format:
#Microsoft.KeyVault(SecretUri=**secret_uri_with_version**)
We just need to replace secret_uri_with_version with the value we’ve previously copied from the secret in Azure Key Vault.
In Azure Function, you’ll just retrieve the value from the application settings and work with it the same way as it was directly a connection string stored in application settings.
// get value from appliction settings
var connectionString = Environment.GetEnvironmentVariable("OrderManagementConnectionString");
// create connection
SqlConnection connection = new SqlConnection(connectionString);

Failed to decrypt a column encryption key using key store provider: 'AZURE_KEY_VAULT'

I've used Always encrypted for a database table column on a DB on Azure. I've gone through this article - https://learn.microsoft.com/en-us/azure/sql-database/sql-database-always-encrypted-azure-key-vault - followed it very carefully. I have encrypted the columns, and that was done successfully. I can see that the column is encrypted.
When I try to follow the same article to now try to view the data from an application, I get error stating:
Failed to decrypt a column encryption key using key store provider:
'AZURE_KEY_VAULT'. Verify the properties of the column encryption key
and its column master key in your database. The last 10 bytes of the
encrypted column encryption key are: '54-36-01-E0-5C-A1-82-80-B1-B4'.
This is the error in the code, but then after I let that error go, I get:
Access denied. Caller was not found on any access policy. Caller:
appid=afd26169-bbac-4a45-ad3c-2b4492d19c6e;oid=dabbc750-5601-442b-9809-3a17f74d5aa2;numgroups=0;iss=https://sts.windows.net/bd8eb048-c497-4576-80eb-99e763b83ffd/
Vault: AWKeyVault2;location=eastus2
It's worth noting that when I use SSMS, and I set the connection string options to Column Encryption Setting=Enabled, I can see the decrypted data in SSMS.
For the most part, I think it's a permissions problem, but I'm at a loss. I've given the App Registration full access to the Azure Subscription. I've generated a 'Secret' for the App Registration also, and using that in the application. If I can see the data from SSMS, I think it means the encryption was successful, so it must be something to do with the fact that the application just cannot get to the key in the azure key vault. What am I missing?
OK, so figured this out. It definitely was a permissions thing. In order to completely verify that you have the correct permissions, go to Key Vault Blade:
Select Access Policies from the Key Vault resource blade menu on theleft
Click the "add new" link/button at the top
Select Principal to select the application that you are using (i.e. the app registration from which you got the client ID from)
From the Key permissions drop down, make sure you give it "Decrypt", "Sign", "Get", "UnwrapKey" permissions
Make sure to save changes
This is one of the last things - you still have to make sure your app registration has the correct permissions for your subscription.
Maybe a little late to the party, but I recently publihed an article about the topic and it might help better: https://www.codeproject.com/Articles/5355073/Full-Tutorial-on-using-Always-Encrypted-with-Azure
Basically, there is a mix of settings and coding that will allow you to use Always Encrypted with Azure Key Vault and it is not only related Azure settings and permissions.
You need to register your Web App in Azure Active Directory, take the according Application ID, then create a new Secret for it, take the Secret value - then write some code to authenticate to AKV using these two.
But that is also with a bit of skepsis - please read the article.

SSRS Email Subscription Change Service Account

We have an instance of SSRS running on 'Local System' service account. I have added the SMTP settings to the Configuration Manager. I now want to change the service account to use an authenticated Windows AD account to I can access the Exchange server and utilise subscriptions.
I am using 2008, other than a need to restart IIS/RS I want to check about the symmetric keys that are used for accessing the report server database that have been encrypted with the local machine.
I want to check the steps and caveats of changing the service account in configuration manager from Local System to MyDomain\My.User.
This page mentions about having to backup encryption keys first, then removing the reference to it after stopping IIS. Updating the service account and creating a new key before starting IIS.
So I need to do/worry about this or will the tool just handle this?
I suspect the tool 'should' manage all this for me but we know what assumptions are.
You need to use the Reporting Services Configuration tool to make changes to the service account being used. If you use this tool then it will automatically take care of permissions changes and modifying encryption keys. More details are available on MSDN.
The issue described on the website you linked to probably occurred because the service account was changed using the Services management tool in Windows, rather than the Reporting Services Configuration tool, and therefore the encryption key was not automatically updated.
Regardless of the above you should always back up the encryption keys for the report server and store them elsewhere.

WSO2 Identity server integration with LDAP and DB

Just had a query that can WSO2 Identity Server be integrated with both LDAP and DB at the same time. To elaborate my query more, say we have a group of users defined in LDAP and another group of users defined in DB and I want Identity Server to act authorization gateway for both of these groups. Is it possible?
Also, while integrating with DB WSO2 adds its own tables in our existing DB. Is there any way we can add custom attributes(claims) support in DB without altering the WSO2 tables?
WSO2 Identity Server supports only one active user realm at a given time. But if your requirement is to use WSO2 IS as an authorization gateway which connects to a LDAP server as well to a DB for populating claims, etc then it is possible to use XACML support in WSO2 IS with a custom PIP(policy information point). In that case, you can connect to the LDAP server as the primary user store and write a custom PIP to connect to the DB to read the required claims.
Following two posts on PIPs will be helpful.
[1] - http://xacmlinfo.com/2011/12/18/understanding-pip/
[2] - http://blog.facilelogin.com/2011/04/xacml-policy-information-point.html
Answering the second query, with the default configuration in the JDBC mode, WSO2 IS uses its own set of tables for maintaining its user store. But if required, you can write your own user store implementation which connects to your database.

Resources