-
Notifications
You must be signed in to change notification settings - Fork 424
Key Vault authentication with Managed Identities
Starting with JDBC Driver v8.3.0, the driver added support to authenticate to Azure Key Vaults using Managed Identities.
Azure Key Vault is a convenient option to store and manage column master keys for Always Encrypted. If the application is hosted in Azure, the user can use Managed Identities to authenticate to the Azure Key Vault, thus eliminating the need to provide and expose any credentials.
For JDBC Driver 8.3.0 and later, the driver introduced the following connection properties:
| ConnectionProperty | Values | ||
|---|---|---|---|
| keyStoreAuthentication | KeyVaultClientSecret | KeyVaultManagedIdentity | JavaKeyStorePassword |
| keyStorePrincipalId | <Azure AD Application Client ID> | <Azure AD Application object ID> (optional) | n/a |
| keyStoreSecret | <Azure AD Application Client Secret> | n/a | <secret/password for the Java Key Store> |
The following examples show how the connection properties are used in a connection string.
"jdbc:sqlserver://<server>:<port>;columnEncryptionSetting=Enabled;keyStoreAuthentication=keyStoreManagedIdentity;"
"jdbc:sqlserver://<server>:<port>;columnEncryptionSetting=Enabled;keyStoreAuthentication=keyStoreManagedIdentity;keyStorePrincipal=<principalId>"
"jdbc:sqlserver://<server>:<port>;columnEncryptionSetting=Enabled;keyStoreAuthentication=keyStoreSecret;keyStorePrincipalId=<clientId>;keyStoreSecret=<clientSecret>"
Users are encouraged to use these connection properties to specify the type of authentication used for the Key Stores instead of using the SQLServerColumnEncryptionAzureKeyVaultProvider interface as this will be deprecated in a future release.
Note: Previously added connection properties keyVaultProviderClientId1 and keyVaultProviderClientKey` are deprecated and replaced by the connection properties described above and will be removed in a future release.