Integrate with Azure Key Vault

Alation Cloud Service Applies to Alation Cloud Service instances of Alation

Customer Managed Applies to customer-managed instances of Alation

Applies from version 2023.1.5

Overview

Alation supports integration with Azure Key Vault for data source authentication using an OCF connector. Using Azure Key Vault allows you to consolidate your credentials in a single, secure location, preventing “credential sprawl” and enabling your organization to comply with IT security policies. You can store secrets such as database passwords and usernames, Kerberos authentication information, JDBC URI keys, and more. Alation will read credentials from Azure Key Vault when performing metadata extraction (MDE), query log ingestion (QLI), sampling, and profiling.

Note

Alation currently does not support reading secrets stored as binary certificates or JSON key/value pairs. Only single secrets in text format can be read.

Alation can integrate with Azure Key Vault in two ways:

• Using a Managed Identity with the Alation Agent—This is the recommended method. The Alation Agent uses a managed identity to authenticate with Azure Key Vault. This method is more secure and easier to manage than using client secret authentication. This method is available for Alation Cloud Service versions 2025.1.2 and later.

• Using Client Secret Authentication—This method requires you to create an application in Azure Active Directory and use a client secret to authenticate with Azure Key Vault. This method is less secure and requires more management overhead than using a managed identity.