Credit
Thank you to Olivier Martin for your valuable insights and contributions to this post. Oliver Martin is a Microsoft Cloud Solution Architect for data analytics & AI.
TLDR
When creating a linked service to Key vault that’s using private endpoint in a data factory or synapse workspace that is using managed virtual network, the UI doesn’t have a way to test the connection or list the secrets, versions of the key vault.
That’s a known limitation when using managed VNET. The solution is simple, add the secret info manually (using edit not the dropdown) and save the linked service. It will work when used in a pipeline or dataflow.
Environment
Consider this scenario, you have a key vault that is using only private endpoint and all the public access is disabled.
You have a Synapse workspace or Azure Data Factory that is using managed VNET. You created managed private endpoint between the key vault and the data factory, you created the linked service for the key vault using the managed identity and made sure all the permissions are granted correctly.
Testing the linked service
When testing the linked service using the option To linked service, it shows success. However this test just test the if the base URL of the key vault is valid or not. Not indication of real success.
If you tried to choose the option To secret you face two behaviors
- You can’t see the list of secrets or versions using the dropdown
- Even after typing the secret name, the test will fail
Key vault secrets’ in another linked service
Key vault is not a data source for Synapse or Data Factory, it’s used for storing secrets for other linked services that are acting as data sources. That’s the reason that when the integration runtime (IR) is provisioned inside the managed VNET, it doesn’t have the capability to access the keyvault during authoring time that’s why the UI doesn’t have the ability to test it. One can argue that this is a missing functionality of the IS inside a VNET and I wouldn’t disagree.
However once, the linked service is created and saved, the IR will be able to access the key vault and use the secrets.
