Use Power Automate to Fetch Secrets from Key Vault

Last modified date

Once you have stored security details in Azure Key Vault as described in the previous post in this series (Create Azure Key Vault to store Tenant ID, Client ID and Secret) you need a way to fetch secrets when you need them. Power Automate connector for Azure Key Vault includes the Get Secret action. This post shows you how to build a reusable child flow to fetch them.

This post is part of Power Automate and Power BI Rest API series

Flow design

The flow we are going to create will be called by other flows, so is a child flow. The flow will have one parameter of the prefix of the ClientID and Secret store in the Azure Key Vault. If you have completed the previous post this would be PBIWorkspace. It will return 3 values, TenantID, ClientID and Secret which will be secured

List of Secrets ib Azure Key Vault with names PBI-Workspace-ClientID and PBI-Workspace-Secret

Because we are using child flows we need to create our flows inside a solution. I recommend creating a solution for these group of flows. I don’t want to make this blog post even longer so please go google creating Power Platform solutions.

Setting up the Trigger

For a child flow we use a instant flow. Type in a descriptive name and select the trigger Manually trigger a flow. When you are in the flow editor, expand the trigger and add an input for the prefix. Adding hint text will help you and other users remember what the input is about.

Adding Actions to Fetch Secrets

The flow is reasonably simple with three repeating actions to fetch secrets. Add an action and search for Key Vault and select it. Then from the list select Get Secret. If this is the first time you have connected to a Key Vault you will need to type in the key vault name and click Sign in. Be aware that every key vault has its own connection.

Azure Key Vault connection setup showing Authentication Type drop down which can be left on default and place to type in Key Vault name

The action has a very simple drop down. For the TenantID action you can just select it from the drop down. For the ClientID and Secret we want to the prefix value from the trigger so that this flow is reusable. So for the ClientID and Secret select Enter custom value. Then use the dynamic value Prefix followed by -ClientID and -Secret.

three actions to fetch secrets from key vault

Securing the Secret Value

The secret value should be kept secret. So the Action output needs securing. Click on the ellipse (3 dots) on the Get secret – Secret action. Turn on the toggle for Secure Outputs and then click Done at the bottom of the dialog.

Menu showing settings and settings with toggle for Secure Outputs turned on

This could be done on ClientID as well if required. Each action that has a security setting applied will show a padlock. When a flow run execution is looked at the value of the secret will not be available.

Action with a padlock and the executed action showing Content not shown due to security configuration

Returning the Values

The final part for this flow is to return the values. And for this flow to run as a child flow it must have a respond action. Click on add action and search for the Power Apps connector. It only one has one action Respond to a Power App or flow. Add three outputs to return TenantID, ClientID and Secret.

Power Apps connection showing Respond action and the action in the flow with three outputs

Handling the Connections

When an instant flow runs the connections are usually based on who clicked the start on the flow. This does not work for a child flow, so a connection must be selected that will be used for when it runs.

The changes need to be made from the flow details page, save and click the blue arrow in the top left to get there. Click on Edit in the Run only users box. When the pane appears, under connections used select a connection under Azure Key Vault. A message will appear to state users only get access in this flow, click OK to close it and then click Save to save the changes.

Testing the flow

When you first write a child flow I suggest you write an instant flow to test it. The Run a Child Flow action only is available if your flows are in a solution. In order to protect the secret value you also need to protect the outputs of the Run a Child flow action.

The flow with Manually trigger a flow trigger connected to Run a Child Flow action that is running Get Tenant and Secret with the parameter Prefix populated with PBI-Workspace

This tests that the flow runs a child a flow and returns values even though we can’t see them.

Conclusion

We now have an app that can perform the action we need, we’ve secured the authentication details and now written a flow to securely retrieve those values. Next step is to make sure Power BI will allow us to do this.

Over 20 year experience at being passionate about training, solving problems and loving a new challenge especially in the Microsoft's Power Platform suite.