9

I have ADF v2 Pipeline with a WebActivity which has a REST Post Call to get Jwt Access token from AD token api (https://login.microsoftonline.com/myorg.onmicrosoft.com/oauth2/token)

I have to pass username and password in the body. Right now, i'm using pipeline parameters to pass these with the request and is working fine. 

username=@{pipeline().parameters.username}
&password=@{pipeline().parameters.password}

But, the parameters tab has plain text which i have to secure.

enter image description here

now, what options do i have to secure the parameter values i'm using in this pipeline instead of plain text.

i have explored this article https://learn.microsoft.com/en-us/azure/data-factory/store-credentials-in-key-vault#reference-secret-stored-in-key-vault But, this is to store secrets for data stores. In my web activity i do not have any dataset. it is just a web activity with rest call.

Any help or pointers would be appreciated. Thanks

Naresh Podishetty
  • 747
  • 4
  • 16
  • 1
    Do you have any updates on this? I'm wondering the same thing. I know it's bad practice to put secrets in a pipeline but since we cannot reference a keyvault key from activity fields, this seems the only viable option – Simon Zeinstra Feb 08 '19 at 11:42

2 Answers2

1

I have implemented little differently,here is my implementation.

  1. Store your credential in storage account of your choice.
  2. use lookup activity in data factory.
  3. use lookup activity output for your rest api call.

I hope this will help. in your case you can use something like this

create a file generateToken.json { "resource":"xxxxxxxxxxxxxxxx", "client_id":"xxxxxxxxxxxxxxx" "grant_type":"xxxxxxxxxxxxxxxx" "username":"xxxxxxxxxxxxxxxxxxx" "password":"xxxxxxxxxxxxxxxxxxxx" }

if you are concern about security of password, decode your password before you add to the generateToken.json and decode at data factory before you make rest api call to generate token using data factory decodeBase64 function.

Viral

user4332145
  • 11
  • 2
0

Solution 1

In short, use the unimportant passwords in the current ADF, and configure important passwords in production ADF.

  1. store your password and others in ADF, and save them into your git repository. This ADF is for the test.
  2. publish
  3. go to Azure DevOps, and release an ADF from the published template with the password.

Solution 2

Use Web Activity to get key-vault and send output to other activities.

Jess Chen
  • 3,136
  • 1
  • 26
  • 35