A lot of my blogs posts lately including calling app web / REST / OData APIs using the HTTP action in Power Automate, examples can be found here. In those examples, a Key is required for the API authentication in the HTTP action. In my blog post examples I store the Key in a variable but always mention that in a production scenario the Key should be secured in something like Azure Key Vault. In this blog post we will do exactly that, we will walk through using Azure Key Vault to store the API Key that is used in a Power Automate HTTP action.
Firstly we’ll need access to an Azure Key Vault to store the Key in. For the purpose of this blog post, I’ve created a new test Azure Key Vault that is not used for any production config. My test Azure Key Vault can be seen below:
This uses Azure RBAC (role based access control), so any user who is wanting to create a connection in Power Automate / Power Platform will need to have the a role assignment added to the Key Vault that allows them to read the secrets, this should be “Key Vault Secrets User” if they only need read access.
You will also need to ensure the Network access on the Key Vault allows Power Automate access. To do this, all of the outbound IP addresses used by the Power Automate cloud flows should be enabled in the firewall.
The list of IP addresses can be found here: https://learn.microsoft.com/en-us/power-platform/admin/online-requirements#ip-addresses-required
Now the access is set up for the user to read the secrets and the Azure Key Vault Network should allow Power Automate access, the API key is added to the Key Vault:
The secret key value is securely stored in Azure Key Vault:
These Azure Key Vault steps would all be set up beforehand by your Azure Admin. Now we jump over to Power Automate. Here we have a very simple Power Automate flow example to demonstrate using the Azure Key Vault action to get the secret, use this secret in an HTTP call securely. The example HTTP call is using the edison365 APIs but the same concept will work for any HTTP call that requires a Key.
At this point the connection to Azure Key Vault has already been set up in my Power Automate environment but this can be seen below for reference:
Clicking on the “Get secret” action we select the name of the secret:
If this step gives you an error, speak to your Azure admin as there will either likely be a Network / Firewall issue on the Key Vault that is blocking access or your account that is used in the Azure Key Vault Power Automate Connection does not have permission to read the secrets in the Key Vault.
Now clicking on the Settings tab and set the “Secure outputs” to on, notice the padlock icon on the “Get secret” card once this is set:
This prevents the secret key being exposed in the flow history. Now clicking on the HTTP action we can see the Key Vault secret value being passed in:
Now we can run the flow to test it and see the output. Looking at the “Get secret” action, notice the output is not available due to securing the output on the “Get secret” action settings:
Looking at the HTTP action, notice the Inputs are not available due to securing the output on the “Get secret” action:
We now have a Power Automate flow HTTP action securely using an API key stored in Azure Key Vault. Hopefully you find this useful as security should always be top of mind.