In Logic Apps you can create a connector to an Azure KeyVault and connect in two ways:
- connect with service principal
- connect with sign in
Connect with Service Principal
To connect with a service principal, you need to specify a connection name, vault name, tenantId, clientId and clientSecret from a registered app in Azure Active Directory.
To retrieve the tenantId, clientId and clientSecret, follow these steps to do an app registration in Active Directory:
- Browse to Azure Active Directory > App registrations > New registration.
- Fill in the data and click Register.
- Open the registered application and browse to Overview.
- These are your clientId and tenantId parameter values.
- Browse to Certificates & secrets > New client secret.
- Copy the value of the client secret. This is for the clientSecret parameter.
When creating the connector in the Logic Apps Designer, following properties need to be filled in:
The corresponding ARM template:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"keyvaultName": {
"type": "string"
},
"appId": {
"type": "string"
},
"appSecret": {
"type": "string"
},
"tenantId": {
"type": "string"
}
},
"variables": {
"location": "[resourceGroup().location]",
"subscriptionId": "[subscription().subscriptionId]",
"keyvaultApiId": "[concat('/subscriptions/', variables('subscriptionId'), '/providers/Microsoft.Web/locations/', variables('location'),'/managedApis/keyvault')]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[parameters('keyvaultName')]",
"location": "[variables('location')]",
"properties": {
"displayName": "[parameters('keyvaultName')]",
"customParameterValues": {
},
"api": {
"id": "[variables('keyvaultApiId')]"
},
"parameterValues": {
"token:clientId": "[parameters('appId')]",
"token:clientSecret": "[parameters('appSecret')]",
"token:TenantId": "[parameters('tenantId')]",
"token:grantType": "client_credentials",
"vaultName": "[parameters('keyvaultName')]"
}
}
}
],
"outputs": {
}
}Connect with sign in
When using the connect with sign in method to authenticate to the KeyVault, the Logic Apps Designer needs only the tenant and vault name:
You then need to sign in with a valid account.
The corresponding ARM template:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"keyvaultName": {
"type": "string"
},
"tenantId": {
"type": "string"
}
},
"variables": {
"location": "[resourceGroup().location]",
"subscriptionId": "[subscription().subscriptionId]",
"keyvaultApiId": "[concat('/subscriptions/', variables('subscriptionId'), '/providers/Microsoft.Web/locations/', variables('location'),'/managedApis/keyvault')]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[parameters('keyvaultName')]",
"location": "[variables('location')]",
"properties": {
"displayName": "[parameters('keyvaultName')]",
"customParameterValues": {
},
"api": {
"id": "[variables('keyvaultApiId')]"
},
"parameterValues": {
"token:TenantId": "[parameters('tenantId')]",
"token:grantType": "code",
"vaultName": "[parameters('keyvaultName')]"
}
}
}
],
"outputs": {
}
}
Radu Narita 