Configure Azure Data Factory Security for the ADF REST API

Before using the Azure Data Factory’s REST API in a Web activity’s Settings tab, security must be configured. Azure Data Factory pipelines may use the Web activity to call ADF REST API methods if and only if the Azure Data Factory managed identity is assigned the Contributor role.

More information about the problem I am trying to solve at the end of this post.

Configuring Security

You must first configure add the Azure Data Factory managed identity to the Contributor security role. Begin by opening the Azure Portal and clicking the “All resources” link on the left menu. Select the instance of Azure Data factory from the list:

When the ADF page displays, click the “Access control (IAM)” link to navigate to the Access control (IAM) page:

You may search for the Data Factory Managed Identity from the “Check access” tab by setting the Find dropdown to Data Factory, selecting the subscription, and then entering the name of the Azure Data Factory instance in the “Search by name” textbox:

 

Click the “Add” button in the “Add a role assignment” box to begin adding a role to the identity of the ADF instance name:

As previously stated, pipelines may use the Web activity to call ADF REST API methods if and only if the Azure Data Factory member is assigned the Contributor role.

When the “Add role assignment” blade displays, select Contributor from the Role dropdown and search again for the identity of the ADF instance name:

Click on the aDemo identity to begin adding the identity of the ADF instance name to the Contributor role:

Click the Save button to complete adding the identity of the ADF instance name to the Contributor role. the Role assignments page should now display the identity of the ADF instance name assigned to the Contributor role:


The Problem I Am Trying to Solve

If one attempts to call an ADF REST API method and the ADF managed identity is not a member of the Contributor role, one will receive a message similar to:

Operation on target Cancel failed: {“error”:{“code”:”AuthorizationFailed”,”message”:”The client ‘<client>’ with object id ‘<object>’ does not have authorization to perform action ‘Microsoft.DataFactory/factories/pipelineruns/cancel/action’ over scope ‘/subscriptions/<subscription>/resourceGroups/<resource group>/providers/Microsoft.DataFactory/factories/<data factory name>/pipelineruns/<pipeline run id>’ or the scope is invalid. If access was recently granted, please refresh your credentials.”}}

(Pro tip: Include the text of error messages in your blog posts. Search engines love text.)

Conclusion

I wrote this post to help me remember to set up this security requirement. I forget often. Plus, it may help you. :{>

<ShamelessPlug>

Need Help Getting Started with ADF?

Enterprise Data & Analytics specializes in helping enterprises modernize their data engineering by lifting and shifting SSIS from on-premises to the cloud. Our experienced engineers grok enterprises of all sizes. We’ve done the hard work for large and challenging data engineering enterprises. We’ve earned our blood-, sweat-, and tear-stained t-shirts. Reach out. We can help.

Enterprise Data & Analytics

</ShamelessPlug>

Andy Leonard

andyleonard.blog

Christian, husband, dad, grandpa, Data Philosopher, Data Engineer, SSIS and Biml guy. I was cloud before cloud was cool. :{>

One thought on “Configure Azure Data Factory Security for the ADF REST API

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.