Fivetran External Secret Management with Azure Key Vault Setup Guide
Follow our setup guide to connect your Azure Key Vault to Fivetran to use it as an External Secret Manager.
Prerequisites
To connect your Azure Key Vault to Fivetran, you need the following:
- An Azure account with permissions to manage Azure Key Vault
- An Azure Key Vault with the Azure role-based access control (RBAC) permission model enabled
- A Fivetran account with the Account Administrator role
Fivetran only supports the Azure RBAC permission model for Key Vault. The vault access policy model is not supported. Learn how to check or change your Key Vault's permission model.
Setup instructions
Select the tab for your deployment model:
Find your Tenant ID
- Log in to the Azure portal.
- On the navigation menu, select Microsoft Entra ID (formerly Azure Active Directory).
- Make a note of the Tenant ID. You will need it to configure Fivetran.
Find your Vault URL
- Navigate to your Key Vault in the Azure portal.
- On the Overview page, make a note of the Vault URI. You will need it to configure Fivetran.
Grant Fivetran access to your Key Vault
- In your Key Vault, click Access Control (IAM) on the navigation menu.
- Click Add > Add role assignment.
- On the Role tab, select Key Vault Secrets User and click Next.
- On the Members tab, set Assign access to to User, group, or service principal.
- Click + Select members.
- Search for Fivetran and select the Fivetran application from the list.
- Click Select, then click Review + assign.
- Review the assignment and click Review + assign to confirm.
Configure External Secret Manager in Fivetran
- In the Fivetran dashboard, go to Account Settings > General > External Secrets Managers.
- Click Create new secrets manager.
- Select SaaS Deployment and Azure Key Vault.
- Provide the following:
- Secret Manager Name: An internal name for this secrets manager in Fivetran.
- Vault URL: The Vault URI you noted earlier.
- Tenant ID: The Tenant ID you noted earlier.
- Click Add secrets manager.
This guide assumes your HD agent is running on an Azure Virtual Machine. If your agent runs on Azure Kubernetes Service (AKS), the steps are the same except in the role assignment step, select Kubernetes service instead of Virtual machine.
Find your Vault URL
- Log in to the Azure portal and navigate to your Key Vault.
- On the Overview page, make a note of the Vault URI. You will need it to configure Fivetran.
Grant your HD agent access to the Key Vault
- In your Key Vault, click Access Control (IAM) on the navigation menu.
- Click Add > Add role assignment.
- On the Role tab, select Key Vault Secrets User and click Next.
- On the Members tab, set Assign access to to Managed identity.
- Click + Select members.
- In the Managed identity dropdown, select Virtual machine.
- Find and select the virtual machine running your HD agent.
- Click Select, then click Review + assign.
- Review the assignment and click Review + assign to confirm.
Configure External Secret Manager in Fivetran
- In the Fivetran dashboard, go to Account Settings > General > External Secrets Managers.
- Click Create new secrets manager.
- Select Hybrid Deployment and Azure Key Vault.
- Provide the following:
- Secret Manager Name: An internal name for this secrets manager in Fivetran.
- Vault URL: The Vault URI you noted earlier.
- Click Add secrets manager.
Creating secrets in Azure Key Vault
Once your External Secret Manager is configured, you can create secrets in your Azure Key Vault by navigating to Objects > Secrets and clicking Generate/Import. Azure Key Vault has no specific format requirements for secret values.
When setting up a connection or destination that uses ESM, enter the secret name (as shown in Azure Key Vault) in the corresponding ESM key field in Fivetran.