Azure Key Vault Linked Service — Two steps to grant service access

The simple 2 steps required to allow Synapse/ADF to read Azure Key Vault secrets.

You gonna need you Managed Identity Name, as displayed when you specify the authentication method as “System Assigned Managed Identity”

Step 1 — Add your service Managed Identity to a RBAC group in Azure Key Vault

To be honest, I’m not sure if this step is necessary. ADF/Synapse has returned a successful result after testing the connection just after creating the Linked Service even before adding the MIS credential RBAC permission.

Add your’s service account to the “Key Vault Secrets User” RBAC role in the Key Vault

Step 2 — Create an Access Policy

Create an access policy, the RBAC is not enough. You need to grant specific operation rights

Apply the policy to you account service identity.

Testing

Simply try to list the versions of a secret when trying to use it in a Linked server, as the exemple below.

References

Use Azure Key Vault secrets in pipeline activities — Azure Data Factory | Microsoft Learn