Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space DEV and version r0682

D toc

For authentication purposes, the

D s platform
must be integrated with an Azure Key Vault keystore.

Please complete the following sections to create and configure your Azure Key Vault.

Create a Key Vault resource in Azure

Excerpt Include
Azure Install Create Key Vault
Azure Install Create Key Vault

Configure Key Vault for WASB

Create WASB access token

If you are enabling access to WASB, you must create this token within the Azure Portal.

For more information, see

You must specify the storage protocol ( wasbs ) used by the

D s platform

Configure Key Vault key and secret for WASB

In the Key Vault, you can create key and secret pairs for use.

Base Storage LayerDescription


D s platform
creates its own key-secret combinations in the Key Vault. No additional configuration is required.

Please skip this section and populate the Key Vault URL into the

D s platform

WASBFor WASB, you must create key and secret values that match other values in your Azure configuration. Instructions are below.

WASB: To enable access to the Key Vault, you must specify your key and secret values as follows:

ItemApplicable Configuration

The value of the key must be specified as the sasTokenId in the

D s platform


The value of the secret should match the shared access signature for your storage. This value is specified as sasToken in the

D s platform

Acquire shared access signature value:

In the Azure portal, please do the following:

  1. Open your storage account.
  2. Select Shared Access Signature .
  3. Generate or view existing signatures.
  4. For a new or existing signature, copy the SAS token value. Omit the leading question mark (?).
  5. Paste this value into a text file for safekeeping.

Create a custom key:

To create a custom key and secret pair for WASB use by the

D s platform
, please complete the following steps:

  1. On an existing or newly created Azure Key Vault resource, click Secrets.
  2. At the top of the menu, click Generate/Import.
  3. In the Create a secret menu:
    1. Select Manual for upload options.
    2. Chose an appropriate name for the key.


      NOTE: Please retain the name of the key for later use, when it is applied through the

      D s platform
      as the sasTokenId value. Instructions are provided later.

    3. Paste the SAS token value for the key into the secret field.
    4. Click Create.

Configure Key Vault Location

For ADLS or WASB, the location of the Azure Key Vault must be specified for the 

D s platform
. The location can be found in the properties section of the Key Vault resource in the Azure portal.


  1. Log in to the Azure portal.
  2. Select the Key Vault resource.
  3. Click Properties.
  4. Locate the DNS Name field. Copy the field value.

This value is the location for the Key Vault. It must be applied in the

D s platform


  1. D s config
  2. Specify the URL in the following parameter:

    Code Block
    "azure.keyVaultURL": "<your key value URL>",

Apply SAS token identifier for WASB

If you are using WASB as your base storage layer, you must apply the SAS token value into the configuration of the

D s platform


  1. D s config
  2. Paste the value of the SAS Token for the key you created in the Key Vault as the following value:

    Code Block
    "azure.wasb.defaultStore.sasTokenId": "<your Sas Token Id>",
  3. Save your changes.

Configure Secure Token Service

Access to the Key Vault requires use of the secure token service (STS) from the

D s platform
. To use STS with Azure, the following properties must be specified.


NOTE: Except in rare cases, the other properties for secure token service do not need to be modified.

D s config


" secure-token-service .autorestart"

Set this value to true to enable auto-restarting of the secure token service.

"secure-token-service.port"Set this value to 8090.
" refresh_token_encryption_key"

Enter a base64 string to serve as your encryption key for the refresh token of the secure token service.

A default encryption key is inserted for you.


NOTE: If a valid base64 string value is not provided here, the platform fails to start.

"secure-token-service.userIdHashingPepper"Enter a base64 string.