Trigger HTTP flows with Azure Key Vault secret

In a previous post, I was comparing HTTP and Instant triggers, and how HTTP triggers require more work BUT have more benefits. Today’s post is about securing your HTTP trigger URLs in the Azure Key Vault, and how to retrieve them.

Steps details

Here are all the steps we’ll need to secure our URLs for a real world scenario:

1. Create the HTTP triggered flow (so we get the URL)
2. Create a secret in Azure Key Vault
3. Create an Environment Variable to use in the flow

Flows

Let’s create 2 flows:

• Flow 1: “When an item is created” – Will trigger Flow 2
• Flow 2: “When an HTTP request is received”

Once we save Flow2, a URL will be generated. Copy it for the next step 🙂

Azure Key Vault secret

With the HTTP trigger, the URL is the most sensitive piece of information. So we’re going to secure it.

Before we create a secret, we need to create an Azure Key Vault. Once done, we’ll add our flow URL. We need to create the secret BEFORE otherwise we won’t be able to save the Environment Variable.

1. Go to your Azure Key Vault
2. Click on Secrets (left navigation)
3. Click on Generate/Import
4. Give a meaningful name
5. In Secret value, paste the flow URL (copied previously)
6. Click on Create

Environment Variable

Now that we’ve got our secret created, we can move on to the Environment Variable.

• Choose a Display name
• Data type: Secret
• Secret store: Azure Key Vault
• Click on New Azure Key Vault secret reference

Then enter the required information:

• Azure Subscription Id (get it in the Azure Portal)
• Resource Group Name (where you created your Azure Key Vault in)
• Azure Key Vault Name
• Secret Name (name given when creating the secret)
• Click on Save

Flow configuration

The last step is to retrieve the secret in Flow1 so it’s used for calling Flow2 (the HTTP triggered flow).

In Flow1, add the Perform an unbound action where the Action Name is RetrieveEnvironmentVariableSecretValue. When it comes to the EnvironmentVariableName value, this is the Name of the environment variable (not the DisplayName)

And finally, make sure to go the Settings, and turn on Secure Outputs 🙂 Now you’re all set!

Note: The Method for both flows (when calling and receiving the HTTP) depends on what your flows are doing. Here I’m only GETting the ID, but more often than not, it’s a POST method.

Thanks for reading! 🙂