Configure Azure Key Vault
For authentication purposes, the Designer Cloud Powered by Trifacta platform must be integrated with an Azure Key Vault keystore.
For more information, see https://azure.microsoft.com/en-us/services/key-vault/.
Please complete the following sections to create and configure your Azure Key Vault.
Create a Key Vault resource in Azure
Please complete the following steps in the Azure portal to create a Key Vault and to associate it with the Alteryx registered application.
Note
A Key Vault is required for use with the Designer Cloud Powered by Trifacta platform.
Create Key Vault in Azure
Steps:
Log into the Azure portal.
Complete the form for creating a new Key Vault resource:
Name: Provide a reasonable name for the resource. Example:
<clusterName>-<applicationName>-<group/organizationName>
Or, you can use
trifacta
.Location: Pick the location used by the cluster.
For other fields, add appropriate information based on your enterprise's preferences.
To create the resource, click Create.
Note
Retain the DNS Name value for later use.
Enable Key Vault access for the Designer Cloud Powered by Trifacta platform
Steps:
In the Azure portal, you must assign access policies for application principal of the Alteryx registered application to access the Key Vault.
Steps:
In the Azure portal, select the Key Vault you created. Then, select Access Policies.
In the Access Policies window, select the Alteryx registered application.
Click Add Access Policy.
Select the following secret permissions (at a minimum):
Get
Set
Delete
Recover
Select the Alteryx application principal.
Assign the policy you just created to that principal.
Configure Key Vault for WASB
Please complete the following steps for using the Key Vault with WASB.
Create WASB access token
If you are enabling access to WASB, you must create this token within the Azure Portal.
For more information, see https://docs.microsoft.com/en-us/rest/api/storageservices/delegating-access-with-a-shared-access-signature.
You must specify the storage protocol (wasbs
) used by the Designer Cloud Powered by Trifacta platform.
Configure Key Vault key and secret for WASB
For WASB, you must create key and secret values in the Key Vault that match other values in your Azure configuration. To enable access to the Key Vault, you must specify your key and secret values as follows:
Item | Applicable Configuration |
---|---|
key | The value of the key must be specified as the |
secret | The value of the secret should match the shared access signature for your storage. This value is specified as |
Acquire shared access signature value:
In the Azure portal, please do the following:
Open your storage account.
Select Shared Access Signature .
Generate or view existing signatures.
For a new or existing signature, copy the SAS token value. Omit the leading question mark (?).
Paste this value into a text file for safekeeping.
Create a custom key:
To create a custom key and secret pair for WASB use by the Designer Cloud Powered by Trifacta platform, please complete the following steps:
On an existing or newly created Azure Key Vault resource, click Secrets.
At the top of the menu, click Generate/Import.
In the Create a secret menu:
Select Manual for upload options.
Chose an appropriate name for the key.
Note
Please retain the name of the key for later use, when it is applied through the Designer Cloud Powered by Trifacta platform as the
sasTokenId
value. Instructions are provided later.Paste the SAS token value for the key into the secret field.
Click Create.
Configure Key Vault for ADLS
For ADLS Gen1 and ADLS Gen2, the Designer Cloud Powered by Trifacta platform creates its own key-secret combinations in the Key Vault. No additional configuration is required.
Configure the Platform
Configure Key Vault location
The location of the Azure Key Vault must be specified for the Designer Cloud Powered by Trifacta platform. The location can be found in the properties section of the Key Vault resource in the Azure portal.
Steps:
Log in to the Azure portal.
Select the Key Vault resource.
Click Properties.
Locate the DNS Name field. Copy the field value.
This value is the location for the Key Vault. It must be applied in the Designer Cloud Powered by Trifacta platform.
Steps:
You can apply this change through the Admin Settings Page (recommended) or
trifacta-conf.json
. For more information, see Platform Configuration Methods.Specify the URL in the following parameter:
"azure.keyVaultURL": "<your key value URL>",
Apply SAS token identifier for WASB
If you are using WASB as your base storage layer, you must apply the SAS token value into the configuration of the Designer Cloud Powered by Trifacta platform.
Steps:
You can apply this change through the Admin Settings Page (recommended) or
trifacta-conf.json
. For more information, see Platform Configuration Methods.Paste the value of the SAS Token for the key you created in the Key Vault as the following value:
"azure.wasb.defaultStore.sasTokenId": "<your Sas Token Id>",
Save your changes.
Configure Secure Token Service
Access to the Key Vault requires use of the secure token service (STS) from the Designer Cloud Powered by Trifacta platform. To use STS with Azure, several properties must be specified. For more information, see Configure Secure Token Service.