-
Notifications
You must be signed in to change notification settings - Fork 426
Key Vault authentication with Managed Identities
lilgreenbird edited this page Apr 2, 2020
·
4 revisions
Starting with JDBC Driver v8.3.0, the driver added support to authenticate to Azure Key Vaults using Managed Identities.
Azure Key Vault is a convenient option to store and manage column master keys for Always Encrypted. If the application is hosted in Azure, the user can use Managed Identities to authenticate to the Azure Key Vault, thus eliminating the need to provide and expose any credentials.
For JDBC Driver 8.3.0 and later, the driver introduced the following connection properties:
| ConnectionProperty | Values | ||
|---|---|---|---|
| keyStoreAuthentication | KeyVaultClientSecret | KeyVaultManagedIdentity | JavaKeyStorePassword |
| keyStorePrincipalId | <Azure AD Application Client ID> | <Azure AD Application object ID>(optional) | n/a |
| keyStoreSecret | <Azure AD Application Client Secret> | n/a | <secret/password for the Java Key Store> |
The following examples show how the connection properties are used in a connection string.
"jdbc:sqlserver://<server>:<port>;columnEncryptionSetting=Enabled;keyStoreAuthentication=keyStoreManagedIdentity;"
"jdbc:sqlserver://<server>:<port>;columnEncryptionSetting=Enabled;keyStoreAuthentication=keyStoreManagedIdentity;keyStorePrincipal=<principalId>"
"jdbc:sqlserver://<server>:<port>;columnEncryptionSetting=Enabled;keyStoreAuthentication=keyStoreSecret;keyStorePrincipalId=<clientId>;keyStoreSecret=<clientSecret>"
Note: Previously connection properties keyVaultProviderClientId1 and keyVaultProviderClientKey` are deprecated and will be removed in a future release.