Azure Key Vault as a Credential Store
This guide shows you how to configure Azure Key Vault as a credential store in the CData Virtuality Server and how to use these credentials when creating data sources.
Using Azure Key Vault Credentials in Data Sources
At present, Azure Key Vault support (Preview feature) in the CData Virtuality Server is available only for data sources that are relational databases (MySQL, PostgreSQL, etc).
Pre-requisites
CData Virtuality Server v4.10 or later;
Access to Microsoft Azure Key Vault;
Required Azure credentials (client ID, client secret, tenant ID, and Key Vault URL).
Configuring and Integrating Azure Key Vault
This short tutorial provides an overview of how to configure Azure Key Vault so that you can securely manage and access secrets (such as passwords) from the CData Virtuality Server.
Steps to Configure Azure Key Vault
Register an Application
Before accessing Azure Key Vault from an external application, you must register an application in Azure Active Directory. After registration:You will have a Client ID and a Tenant ID, which can be found in the application’s Overview section;
In Manage → Certificates & Secrets, create a Client Secret. Be careful, as the secret is visible only immediately after creation.
Create and Set Up Azure Key Vault
Create a Key Vault in Azure. In the Key Vault’s Overview section, note the Vault URI. This will be used to configure the credential store in CData Virtuality Server.Assign Key Vault Administrator Role
To allow your user account to add secrets to the Key Vault:Navigate to Access Control (IAM) in the Key Vault;
Assign the Key Vault Administrator role to your user, enabling you to manage keys and secrets within the vault.
Add Secrets to the Key Vault
In the Key Vault’s Objects → Secrets section, add any secrets (e.g., database passwords) that you want to manage. These secrets will be referenced later in the CData Virtuality Server configuration.Assign the Application Access to Secrets
To allow your registered application to access a specific secret:Assign the Key Vault Secrets Officer role to the application at the secret level;
Use the Azure CLI command below, replacing the placeholders with your values:
POWERSHELLaz role assignment create --role "Key Vault Secrets Officer" \ --assignee "CLIENT_ID" \ --scope "/subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP_NAME/providers/microsoft.keyvault/vaults/AZURE_KEY_VAULT_NAME/secrets/SECRET_KEY_NAME"
To run this command:
Go to Automation → CLI/PS within the Azure portal;
Click Run to open the Cloud Shell;
Paste and run the CLI command.
Verify Role Assignments
After running the CLI command, navigate to Objects → Secrets → SECRET_KEY_NAME → Access control (IAM). You should see the Key Vault Secrets Officer role assigned to your application.
Summary
By following these steps, you have:
Registered an application with Azure Active Directory;
Created and configured an Azure Key Vault;
Added and managed secrets in the Key Vault;
Assigned the necessary roles for the application to access these secrets.
With this configuration in place, you can now integrate Azure Key Vault credentials into the CData Virtuality Server. This enables secure, externalized management of sensitive credentials for data sources.
Configuring the Credential Store in CData Virtuality
Add the Azure Key Vault Provider
In thedvserver-standalone.xmlconfiguration file, locate the Elytron subsystem and the<providers>section. After the<provider-loader name="openssl" .../>entry, add the following snippet:XML<provider-loader name="azure-key-vault-provider" module="com.datavirtuality.dv" class-names="com.datavirtuality.dv.core.controller.credential.AzureKeyVaultProvider"/>Add the Azure Key Vault Credential Store
Within the Elytron subsystem, find the<credential-stores>section and add the Azure Key Vault credential store configuration. For example, after the existing<secret-key-credential-store>entry:XML<credential-store name="azure-key-vault-store" type="AzureKeyVaultCredentialStore" providers="azure-key-vault-provider"> <implementation-properties> <property name="keyVaultUrl" value="KEY_VAULT_URL"/> <property name="clientId" value="CLIENT_ID"/> <property name="clientSecret" value="CLIENT_SECRET"/> <property name="tenantId" value="TENANT_ID"/> </implementation-properties> <credential-reference clear-text="dummy-value"/> </credential-store>Note:
ReplaceKEY_VAULT_URL,CLIENT_ID,CLIENT_SECRET, andTENANT_IDwith your actual Azure Key Vault configuration values.Verifying the Configuration
To verify that the Azure Key Vault credential store is successfully configured, run the following stored procedure:SQLCALL SYSADMIN.getCredentialStores();This will list all the configured credential stores, including the newly created
azure-key-vault-store.
Example: Creating an SQL Server Data Source
You can use Azure Key Vault credentials when creating a data source by referencing the credential store and alias in the SYSADMIN.createOrReplaceDatasource procedure.
Important:
In the connectionProperties, now you can specify the password (or other secret) using the following syntax instead of plain value:
password="{credentialStoreName=azure-key-vault-store,credentialStoreAlias=SECRET_KEY_NAME_IN_AZURE}"This tells CData Virtuality Server to retrieve the password from the azure-key-vault-store credential store using the secret alias SECRET_KEY_NAME_IN_AZURE (which corresponds to the name of the secret in Azure Key Vault).
For example:
CALL "SYSADMIN.createOrReplaceDatasource"(
"name" => 'test',
"translator" => 'sqlserver',
"modelProperties" => 'importer.useFullSchemaName=False,importer.TableTypes="TABLE,VIEW",importer.schemaPattern=dbo,importer.defaultSchema=dbo',
"connectionTemplateName" => 'mssql',
"connectionProperties" => 'user-name=USER_NAME,port=SERVER_PORT,host=HOST,db=DATABASE,password="{credentialStoreName=azure-key-vault-store,credentialStoreAlias=SECRET_KEY_NAME}"',
"enableReplace" => TRUE
);;
Azure Key Vault as a Credential Store (Preview) is available since v4.10