top of page

Challenge 028 | Secrets in Power Platform

Recently I needed to integrate with a service that doesn't have a Power Platform connector. I tried creating a custom connector for this service, but the authentication Oauth 2 Client Credentials method is not supported in Custom Connectors. For now, we chose to use the default HTTP connector to make this work. That means we work with secrets. In this challenge we will dive into how to use them.

Challenge Objectives

🎯 Learn about secrets and how to store them securely

🎯 Know how to retrieve the secrets in Power Platform

🎯 Learn when to use secure in- and outputs in your flow

Introduction

Connectors are a big part of the Power Platform. In fact, these are wrappers around an API (Application Programming Interface). In order to interact with the system the API is built for, you usually need some form of authentication. The most common ones are:

HTTP basic authentication

When you use this type of authentication, you send the username and password for authentication. The downside of this method is that the credentials aren't hashed or encrypted, so this isn't the most secure option.

API key authentication

This form of authentication uses an API key, which is a unique identifier. The platform you interact with know who this key belongs to. A bit more secure as you cannot log-in with through the interface, but the API key itself can give much permissions once obtained. We will work with this authentication method in this challenge, as this might be the most familiar one.

Oauth authentication

This is a token based authentication method. The major difference is that token usually have an expiration time. The platform that made me create this challenge use tokens that would live for only 60 seconds. That is why this is a more secure option, and therefor the current golden standard.

With the last two options, you want to make sure that the key or token are kept secret. That is what we will focus on.

Get an API

There are loads of APIs available. For this challenge, we will be using the API-FORMULA-1 API that is hosted on Rapid API. Rapid API is a platform that democratizes and monetizes, so a very useful resource to try things out or find interesting APIs.

  1. Create an account on Rapid API

  2. Enter creditcard credentials. We will be using a basic plan, which will not generate any costs.

  3. Subscribe to the API Basic tier

  4. Go to the Apps page

  5. search for the Authorization tab. Do you see the API key there? This is the thing we will be using.

Use the API

Now that we have an API we can use, let's add it to our Power Platform world.

  1. Go to make.powerapps.com

  2. Create a new solution

  3. Add a manually triggered flow to your solution

  4. Add the HTTP action

  5. Search for the teams rankings in the API-FORMULA-1 API

You can see that it uses a GET method. This is the first required parameter in the HTTP connector. The next is the URI. You can find that in the Code Snippets on the right side.

Then you will see headers and queries. The headers are also shown in Rapid API. you can just add both of them. Note that the X-RapidAPI-Key is the actual API key that Rapid API made for you. Keep this to yourself. Rapid API also shows that there is a required parameter called season. It needs a year, but the Code Snippets section shows that the year number is actual in text format. You can put this parameter in the queries section. You can also add the season as text input, so that you make the flow a bit more dynamic. Your flow should look like the image below, but the with an API key.

Save and test your flow. Do you get some output? You probably do.

Use secure input

We are getting the output that we want. The problem is that it isn't as secure as you would like. Although it uses HTTPS (which should make it secured during transit), the input parameters are stored in logs. the good thing is that there has been a feature for well over a year already to address this. It's called secure input and output.

In your Power Automate flow, select the ellipsis on the HTTP action and select settings. There is a simple toggle to enable Secure Inputs. Press done and you are all set.

We now have a fairly secure flow that get the information from another source. There is still an issue. The API key is just there. Maybe we want to renew the API key once in a while, just like we do with our passwords. Some systems even enforce you to with an expiration date on the API key. The problem with our current setup is that we need to update our flow, just to update the API key. If we put it in a solution, we need to redeploy it just for this. We also need to be very keen on which flows uses which API key. That is hard to manage. That is where Azure Key Vault can be of help.

Azure Key Vault

This is a service on Azure for storing secrets. You can think of it as a password manager. The cool thing is that there is an integration with Power Platform. let's make it work.

  1. Go to portal.azure.com

  2. Create a new Resource group called Challenge-028

  3. add a key vault to your resource group

Once the vault is created, you can add a secret to it. In our case, we want to store the API key there. It might not sound too intuitive, but we do need to store the API key as a secret, and not as a key.

Once we have stored the API key as a secret, we can link to it from within Power Platform.

  1. Go to your subscription

  2. Navigate to Resource providers

  3. Search Microsoft.PowerPlatform, select it and click on register. This step is allowed so that Power Platform can interact with this subscription

  4. Make sure that Dataverse and your account have Key Vault Secrets User permissions. Steps until here can be found on Microsoft Learn.

  5. Go to your solution

  6. Add a new Environment Variable

  7. Name it API-FORMULA-1

  8. Select Secret as the Data type

  9. Select Azure Key Vault as the Secret Store

  10. Enter the fields in the current value. You can get these from within your key vault

By now, you are able to use the Secret in all other Power Platform assets. just like the flow you created earlier.

Update your flow

  1. Add a Dataverse action named Perform an unbound action

  2. Search for RetrieveEnvironmentVariableSecretValue as the action name

  3. Enter the system name of your environment variable

  4. Make sure to enable secure output, as the output of this action will contain the API key

When you update the x-rapidapi-key header input from the text input to dynamic content, you will see that the dynamic content will have a lock icon next to it. Because you made the unbound action secure output, it will inherit that setting wherever you use it. Your flow should look like the image below.

Refresh the API key

We've mentioned that renewing the API keys is good practice. Let's do while making sure the flow will stay working.

  1. Go to your App (default application) in Rapid API

  2. Add a new authorization

  3. Give it a name (API key) and leave the Authorization type to RapidAPI

  4. Note that you can have only two authorizations. This feature is exactly for renewing the keys.

  5. Copy the API key from Rapid API

  6. Go to your Key Vault and open the API-FORMULA-1-APIkey Secret

  7. Select New Version and add the copied key in here

  8. Try the flow again to see if it works

  9. If all went well, you can disable the older version

  10. You can now also remove the old API key in Rapid API

Note that you haven't updated anything within the solution. This means you can manage the secrets solely in Key Vault and the platform you interact with. Pretty nice stuff.

Additional Information

Key Vault is an Azure resource, which will be bill the costs to your subscription. The good thing is that Key Vault is really cheap. Getting a subscription might be a hard thing within your organization. If this is the case, try to get a resource group with a billing cap. If you want to know more about this, I highly recommend learning for the AZ-900 exam. This will go through all the basics which you will need to understand what you actually need.

Key Takeaways

👉🏻 Secrets must be treated as such. Secure in and output FTW

👉🏻 If working with secrets, definitely consider using a Key Vault

👉🏻 When you use Environment Variables based on Key Vault, you can manage secrets outside of your solution

Comentarios


bottom of page