Rajeev Pentyala – Microsoft Power Platform

In this article, lets learn the steps to configure Environment Variables of type ‘Secret’ using Azure Key Vault and fetch them from a simple Power Automate Cloud Flow.

Lets first understand what is an Azure Key Vault and Environment Variables.

• Azure Key Vault is a cloud-based service provided by Microsoft Azure that allows users to securely store and manage cryptographic keys, secrets, and certificates used for protecting sensitive data in cloud applications and services.
• A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys.

What is an Environment Variable:

• In simple words, an Environment Variable is a way to store and manage configuration values that can be used across multiple environments.
• One environment variable can be used across many different solution components – whether they’re the same type of component or different.
  • For example, a canvas app and a flow can use the same environment variable. When the value of the environment variable needs to change, you only need to change one value.

What is an Azure Key Vault:

Now that we know the basics of Environment Variables and Azure Key Vault, lets understand how these two can be used together.

High level design:

Consuming Azure Key Vault secrets in Environment Variables is two step process.

• Create and configure secrets in Azure Key Vault from Azure Portal.
• Create an Environment Variable in Power Platform and map the secrets.

Lets learn the step by step process.

Steps to create new Key Vault and Secrets:

The prerequisite is to register the PowerPlatform resource provider in your Azure subscription.

Register the PowerPlatform resource provider:

• Connect to Azure Portal and go to the Subscriptions page.

• Select the Subscription and click on ‘Resource providers’ and make sure ‘Microsoft.PowerPlatform’ is ‘Registered’ as shown below.
  • You can use ‘Re-register’ and ‘Unregister’ buttons to either register or unregister.

Create Azure Key Vault:

• From the Azure Portal, go to Key vaults page and click on ‘Create’ to create a new Key Vault.

• Provide the details and click on ‘Review + create’ to complete the creation of your new Key vault.

• Next open the newly created ‘Key Vault’ and create the ‘Secret’ by clicking on ‘Secrets’ tab.
• Click on ‘+ Generate/Import’.

• Provide ‘Name’ and ‘Secret value’ and click on ‘Create’.

• Next is the important step, which is granting ‘Key Vault’ access to the ‘Users/Service Principles’.

Setting Key Vault Access:

Azure Key Vault must have the Key Vault Secrets User role granted to the Dataverse service principal. Follow these steps.

• Click on ‘Access control (IAM)’ tab and click on ‘Add role assignment’ as shown below.

• Select ‘Assignment type‘ as ‘Job function roles’ and click ‘Next’.

• Select ‘Key Vault Secrets User‘ role and click ‘Next’.

• Click on ‘+ Select members’ and select ‘Dataverse’ under ‘Select members’ pane.

• Click ‘Review + assign’ button and complete the step.
• Next, as a last access step, click on ‘Access policies’ tab and click on ‘+ Create’.

• Select the ‘Get’ permission under ‘Secret permissions’ and click ‘Next’.

• In the next screen, select ‘Dataverse’ principal and click ‘Next’.

• On the ‘Review + create’ tab, click on ‘Create’ to complete the step.

Copy the Key Vault details:

We are done with ‘Key Vault’ set up and copy following details, which we need in next steps.

• From the ‘Overview’ tab, copy ‘Resource group’ and ‘Subscription ID’.

• From ‘Secrets’ tab, copy the ‘Secret Name’ (i.e.,secUserID) and ‘Key Vault Name’ (i.e., DemoEnvironmentVariables).

We are done with ‘Key Vault’ side of configurations. Lets connect to PowerApps maker portal and set up ‘Environment Variable’.

Steps to configure ‘Environment Variable’ of type ‘Secret’:

From the PowerApps maker portal, create or open an existing Solution.

• Click on ‘New -> Environment variable’.

• Select the ‘Data Type’ as ‘Secret’ and click on ‘+ New Azure Key Vault secret reference’ link.

• Select the ‘Secret Store’ as ‘Azure Key Vault’ and provide the ‘Azure Subscription Id’, ‘Resource Group Name’, ‘Azure Key Vault Name’ and ‘Secret Name’ values which we copied in the previous step.

• Click on ‘Save’ and you should the newly created ‘Environment Variable’ in your solution as shown below.
• Copy the name (i.e., raj_evdemosecret) which we need in next step.

We’ve completed the both ‘Key Vault’ set up and creation of Secure ‘Environment Variable’. Its time to create a cloud flow and test.

Create a cloud flow to read the secured ‘Environment Variable’ value:

• Create a new ‘Instant’ flow.

• Select ‘Manually trigger a flow’ option.
• We have a RetrieveEnvironmentVariableSecretValue unbound Action, to read the secret Environment Variable.
• So, in our flow, Select New step, select the Microsoft Dataverse connector, and then on the Actions tab select Perform an unbound action.

• Select ‘Action Name’ as RetrieveEnvironmentVariableSecretValue and ‘EnvironmentVariableName’ as the ‘Environment Variable Name’ copied in previous section (i.e., raj_evdemosecret).

• Save the flow and test. You should see ‘rajeevpentyala@live.com’ which is the secret value we configured in ‘Key Vault’.

• You will notice a ‘Flow checker’ warning with a message to ‘Turn on secure outputs…’. This is to prevent the output of the action getting exposed in the flow run history.

• Select … > Settings of  Perform an unbound action control.
• Enable the Secure Outputs option in the settings, and then select Done.

• Save the flow and warning in ‘Flow Checker’ should go way now.
• Retest the flow and you should get outputs as below.

That’s it. Hope you’ve learnt the basics of using ‘Key Vault’ and secret ‘Environment Variables’.

Refer this documentation for more details.

🙂