Recently I needed to integrate with a service that doesn't have a Power Platform connector. I tried creating a custom connector for this service, but the authentication Oauth 2 Client Credentials method is not supported in Custom Connectors. For now, we chose to use the default HTTP connector to make this work. That means we work with secrets. In this challenge we will dive into how to use them.
Challenge Objectives
🎯 Learn about secrets and how to store them securely
🎯 Know how to retrieve the secrets in Power Platform
🎯 Learn when to use secure in- and outputs in your flow
Introduction
Connectors are a big part of the Power Platform. In fact, these are wrappers around an API (Application Programming Interface). In order to interact with the system the API is built for, you usually need some form of authentication. The most common ones are:
HTTP basic authentication
When you use this type of authentication, you send the username and password for authentication. The downside of this method is that the credentials aren't hashed or encrypted, so this isn't the most secure option.
API key authentication
This form of authentication uses an API key, which is a unique identifier. The platform you interact with know who this key belongs to. A bit more secure as you cannot log-in with through the interface, but the API key itself can give much permissions once obtained. We will work with this authentication method in this challenge, as this might be the most familiar one.
Oauth authentication
This is a token based authentication method. The major difference is that token usually have an expiration time. The platform that made me create this challenge use tokens that would live for only 60 seconds. That is why this is a more secure option, and therefor the current golden standard.
With the last two options, you want to make sure that the key or token are kept secret. That is what we will focus on.
Get an API
There are loads of APIs available. For this challenge, we will be using the API-FORMULA-1 API that is hosted on Rapid API. Rapid API is a platform that democratizes and monetizes, so a very useful resource to try things out or find interesting APIs.
Use the API
Now that we have an API we can use, let's add it to our Power Platform world.
Go to make.powerapps.com
Create a new solution
Add a manually triggered flow to your solution
Add the HTTP action
Search for the teams rankings in the API-FORMULA-1 API
You can see that it uses a GET method. This is the first required parameter in the HTTP connector. The next is the URI. You can find that in the Code Snippets on the right side.
Then you will see headers and queries. The headers are also shown in Rapid API. you can just add both of them. Note that the X-RapidAPI-Key is the actual API key that Rapid API made for you. Keep this to yourself. Rapid API also shows that there is a required parameter called season. It needs a year, but the Code Snippets section shows that the year number is actual in text format. You can put this parameter in the queries section. You can also add the season as text input, so that you make the flow a bit more dynamic. Your flow should look like the image below, but the with an API key.
Save and test your flow. Do you get some output? You probably do.
Use secure input
We are getting the output that we want. The problem is that it isn't as secure as you would like. Although it uses HTTPS (which should make it secured during transit), the input parameters are stored in logs. the good thing is that there has been a feature for well over a year already to address this. It's called secure input and output.
In your Power Automate flow, select the ellipsis on the HTTP action and select settings. There is a simple toggle to enable Secure Inputs. Press done and you are all set.
We now have a fairly secure flow that get the information from another source. There is still an issue. The API key is just there. Maybe we want to renew the API key once in a while, just like we do with our passwords. Some systems even enforce you to with an expiration date on the API key. The problem with our current setup is that we need to update our flow, just to update the API key. If we put it in a solution, we need to redeploy it just for this. We also need to be very keen on which flows uses which API key. That is hard to manage. That is where Azure Key Vault can be of help.
Azure Key Vault
This is a service on Azure for storing secrets. You can think of it as a password manager. The cool thing is that there is an integration with Power Platform. let's make it work.
Go to portal.azure.com
Create a new Resource group called Challenge-028
add a key vault to your resource group
Once the vault is created, you can add a secret to it. In our case, we want to store the API key there. It might not sound too intuitive, but we do need to store the API key as a secret, and not as a key.
Once we have stored the API key as a secret, we can link to it from within Power Platform.
Go to your subscription
Navigate to Resource providers
Search Microsoft.PowerPlatform, select it and click on register. This step is allowed so that Power Platform can interact with this subscription
Make sure that Dataverse and your account have Key Vault Secrets User permissions. Steps until here can be found on Microsoft Learn.
Go to your solution
Add a new Environment Variable
Name it API-FORMULA-1
Select Secret as the Data type
Select Azure Key Vault as the Secret Store
Enter the fields in the current value. You can get these from within your key vault
By now, you are able to use the Secret in all other Power Platform assets. just like the flow you created earlier.
Update your flow
Add a Dataverse action named Perform an unbound action
Search for RetrieveEnvironmentVariableSecretValue as the action name
Enter the system name of your environment variable
Make sure to enable secure output, as the output of this action will contain the API key
When you update the x-rapidapi-key header input from the text input to dynamic content, you will see that the dynamic content will have a lock icon next to it. Because you made the unbound action secure output, it will inherit that setting wherever you use it. Your flow should look like the image below.
Refresh the API key
We've mentioned that renewing the API keys is good practice. Let's do while making sure the flow will stay working.
Go to your App (default application) in Rapid API
Add a new authorization
Give it a name (API key) and leave the Authorization type to RapidAPI
Note that you can have only two authorizations. This feature is exactly for renewing the keys.
Copy the API key from Rapid API
Go to your Key Vault and open the API-FORMULA-1-APIkey Secret
Select New Version and add the copied key in here
Try the flow again to see if it works
If all went well, you can disable the older version
You can now also remove the old API key in Rapid API
Note that you haven't updated anything within the solution. This means you can manage the secrets solely in Key Vault and the platform you interact with. Pretty nice stuff.
Additional Information
Key Vault is an Azure resource, which will be bill the costs to your subscription. The good thing is that Key Vault is really cheap. Getting a subscription might be a hard thing within your organization. If this is the case, try to get a resource group with a billing cap. If you want to know more about this, I highly recommend learning for the AZ-900 exam. This will go through all the basics which you will need to understand what you actually need.
Key Takeaways
👉🏻 Secrets must be treated as such. Secure in and output FTW
👉🏻 If working with secrets, definitely consider using a Key Vault
👉🏻 When you use Environment Variables based on Key Vault, you can manage secrets outside of your solution