在 Azure Key Vault 中存储凭据Store credential in Azure Key Vault

可以在 Azure Key Vault 中存储数据存储和计算的凭据。You can store credentials for data stores and computes in an Azure Key Vault. 执行使用数据存储/计算的活动时,Azure 数据工厂将检索凭据。Azure Data Factory retrieves the credentials when executing an activity that uses the data store/compute.

目前,除自定义活动之外的所有活动类型都支持此功能。Currently, all activity types except custom activity support this feature. 具体而言,对于连接器配置,请查阅每个连接器主题中的“链接服务属性”部分了解详细信息。For connector configuration specifically, check the "linked service properties" section in each connector topic for details.

先决条件Prerequisites

此功能依赖于数据工厂托管标识。This feature relies on the data factory managed identity. 数据工厂的托管标识了解其工作原理,并确保数据工厂具有关联的托管标识。Learn how it works from Managed identity for Data factory and make sure your data factory have an associated one.

步骤Steps

若要引用 Azure Key Vault 中存储的凭据,需要:To reference a credential stored in Azure Key Vault, you need to:

  1. 通过复制与工厂一起生成的“托管标识应用程序 ID”的值来检索数据工厂托管标识Retrieve data factory managed identity by copying the value of "Managed Identity Application ID" generated along with your factory. 如果使用 ADF 创作 UI,则托管标识应用程序 ID 将显示在 Azure Key Vault 链接服务创建窗口上;也可从 Azure 门户检索该托管标识,详情请参阅检索数据工厂托管标识If you use ADF authoring UI, the managed identity application ID will be shown on the Azure Key Vault linked service creation window; you can also retrieve it from Azure portal, refer to Retrieve data factory managed identity.
  2. 向托管标识授予对 Azure Key Vault 的访问权限。Grant the managed identity access to your Azure Key Vault. 在密钥保管库中 -> 访问策略 -> 新增 -> 搜索此托管标识应用程序 ID,以在“机密权限”下拉列表中授予“获取” 权限。In your key vault -> Access policies -> Add new -> search this managed identity application ID to grant Get permission in Secret permissions dropdown. 它允许此指定的工厂访问密钥保管库中的机密。It allows this designated factory to access secret in key vault.
  3. 创建指向 Azure Key Vault 的链接服务Create a linked service pointing to your Azure Key Vault. 请参阅 Azure Key Vault 链接服务Refer to Azure Key Vault linked service.
  4. 创建数据存储链接服务,该服务中引用密钥保管库中存储的相应机密Create data store linked service, inside which reference the corresponding secret stored in key vault. 请参阅引用密钥保管库中存储的机密Refer to reference secret stored in key vault.

Azure Key Vault 链接服务Azure Key Vault linked service

Azure Key Vault 链接服务支持以下属性:The following properties are supported for Azure Key Vault linked service:

属性Property 说明Description 必选Required
typetype type 属性必须设置为:AzureKeyVaultThe type property must be set to: AzureKeyVault. Yes
baseUrlbaseUrl 指定 Azure Key Vault URL。Specify the Azure Key Vault URL. Yes

使用创作 UI:Using authoring UI:

单击“连接” -> “链接服务” -> “+新建”,然后搜索“Azure Key Vault” :Click Connections -> Linked Services -> +New -> search for "Azure Key Vault":

搜索 AKV

选择凭证所在的已预配的 Azure Key Vault。Select the provisioned Azure Key Vault where your credentials are stored. 可执行“测试连接”操作,确保 AKV 连接有效 。You can do Test Connection to make sure your AKV connection is valid.

配置 AKV

JSON 示例:JSON example:

{
    "name": "AzureKeyVaultLinkedService",
    "properties": {
        "type": "AzureKeyVault",
        "typeProperties": {
            "baseUrl": "https://<azureKeyVaultName>.vault.azure.cn"
        }
    }
}

引用密钥保管库中存储的机密Reference secret stored in key vault

在引用密钥保管库机密的链接服务中配置字段时,支持以下属性:The following properties are supported when you configure a field in linked service referencing a key vault secret:

属性Property 说明Description 必选Required
typetype 字段的 type 属性必须设置为:AzureKeyVaultSecretThe type property of the field must be set to: AzureKeyVaultSecret. Yes
secretNamesecretName Azure Key Vault 中机密的名称。The name of secret in Azure Key Vault. Yes
secretVersionsecretVersion Azure Key Vault 中机密的版本。The version of secret in Azure Key Vault.
如果未指定,将始终使用最新版本的机密。If not specified, it always uses the latest version of the secret.
如果指定,然后它遵循给定的版本。If specified, then it sticks to the given version.
No
storestore 指用于存储凭据的 Azure Key Vault 链接服务。Refers to an Azure Key Vault linked service that you use to store the credential. Yes

使用创作 UI:Using authoring UI:

创建与数据存储/计算的连接时,为机密字段选择“Azure Key Vault” 。Select Azure Key Vault for secret fields while creating the connection to your data store/compute. 选择已预配的 Azure Key Vault 链接服务并提供机密名称 。Select the provisioned Azure Key Vault Linked Service and provide the Secret name. 也可根据需要提供机密版本。You can optionally provide a secret version as well.

Tip

对于在链接服务(如 SQL Server、Blob 存储等)中使用连接字符串的连接器,可以选择仅存储机密字段(例如 AKV 中的密码),或将整个连接字符串存储在 AKV 中。For connectors using connection string in linked service like SQL Server, Blob storage, etc., you can choose either to store only the secret field e.g. password in AKV, or to store the entire connection string in AKV. 可以在 UI 上找到这两个选项。You can find both options on the UI.

配置 AKV 机密

JSON 示例:(请参阅“密码”部分)JSON example: (see the "password" section)

{
    "name": "DynamicsLinkedService",
    "properties": {
        "type": "Dynamics",
        "typeProperties": {
            "deploymentType": "<>",
            "organizationName": "<>",
            "authenticationType": "<>",
            "username": "<>",
            "password": {
                "type": "AzureKeyVaultSecret",
                "secretName": "<secret name in AKV>",
                "store":{
                    "referenceName": "<Azure Key Vault linked service>",
                    "type": "LinkedServiceReference"
                }
            }
        }
    }
}

后续步骤Next steps

有关 Azure 数据工厂中复制活动支持作为源和接收器的数据存储的列表,请参阅支持的数据存储For a list of data stores supported as sources and sinks by the copy activity in Azure Data Factory, see supported data stores.