Azure Customer-Managed Keys Setup Guide

Follow our setup guide to configure Azure customer-managed keys.

Prerequisites

To set up Azure customer-managed keys for your Fivetran account, you need:

• A Business Critical Fivetran account
• An Azure Key Vault

Setup instructions

Authorize vault access

1. Log into your Azure portal.
2. Click the menu button in the top left corner of your screen, then select Microsoft Entra ID (formerly Azure Active Directory).
3. Find the Tenant ID value and make a note of it.
4. In the Fivetran dashboard, go to Account Settings > General > Customer-Managed Keys Configuration.
5. Click Add Key.
6. Select Azure Key Vault.
7. Enter the Tenant ID you found in the previous step.
8. Click Authorize.
9. In the pop-up window, authorize the Fivetran Azure app to access your Key Vault.

Create Azure key

1. In the Azure portal, go to the Key Vaults section.
2. Click on the Key Vault that you want to use with Fivetran.
3. On the Overview page, find the Vault URI value and make a note of it. You will need it to configure Fivetran.
4. In the left menu, go to the Keys page.
5. Click + Generate/Import.
6. Enter a memorable name for your key (for example, fivetran-cmk).
7. Verify that the Key Type is RSA and the RSA key size is 4096.
8. Click Create.
9. Click on the newly-created key.
10. Click on the version marked Current Version.
11. Copy the Key Identifier value. You will need it to configure Fivetran.

Assign key permissions

1. In the Azure portal, return to the Key Vault.
2. In the left menu, go to the Access policies page.
3. Check the permission model. How you do this depends on which permissions model you use.

• If the permission model is Vault access policy, do the following:

  i. Click Add Access Policy.
  ii. In the Key permissions field, select the following permissions:

  

  iii. Click Select principal. Search for Fivetran to find the Fivetran Azure app you authorized in Step 1.
  iv. Click on the Fivetran Azure app, then click Select.
  v. Click Add.

• If the permission model is Azure role-based access control, do the following:

  i. Go to Keys.
  ii. Click on your newly-created key.
  iii. Go to Access control (IAM).
  iv. In the Grant access to this resource section, click Add role assignment (Preview).

  NOTE: If the Add role assignment (Preview) field is grayed out, you do not have appropriate permissions to assign roles in this Key Vault. Contact your Azure account administrator for help.

  v. Select Key Vault Crypto User as the role.
  vi. Click Next.
  vii. In the Assign access to section, select User, group, or service principal.
  viii. Click Select members.
  ix. Search for Fivetran to find the Fivetran Azure app you authorized in Step 1.
  x. Click on the Fivetran Azure app, then click Select.
  xi. Click Next.
  xii. Review the role, scope and members. Make sure that Fivetran is assigned as part of the role.
  xiii. Click Review + assign.

(Optional) Safelist Fivetran's IP

1. In the Azure portal, return to the Key Vault.
2. Go to the Overview page.
3. Under Firewalls and virtual networks section, check whether Allow access form option is set to Private endpoints and selected networks. If so, add Fivetran's IP 34.85.252.27/32 under the Firewall section and click Save.

Finish Fivetran configuration

1. In your Fivetran dashboard, enter the Vault URL and Key ID that you found in Step 2.
2. Click Submit.