Power Automate: Store your API Access tokens in Azure Key Vaults and automatically renew them!


In many Power Automate solutions, it’s common to see API credentials being fetched at the start of the flows – like client IDs and secrets exposed within HTTP actions. While this might be a quick setup, it poses some security risks and can lead to developers using it in an insecure environment. Also, if one single Power Automate flow is configured to authenticate every five minutes, 24/7, it results in 288 unnecessary actions per day just for retrieving and parsing a token. This can quickly consume your “Actions per 24 hours” limit, as outlined in Microsoft’s documentation.

A more secure and efficient approach is to have one Power Automate flow with integration to update Azure Key Vault based on its token lifetime dynamically. By storing your API credentials securely in Azure Key Vault, you can safeguard sensitive information while also enabling automatic token renewal. This ensures your tokens are updated seamlessly without manual intervention, reducing the risk of credential exposure and minimizing management overhead.

In today’s blog post, we’ll guide you through setting up a Power Automate flow that automatically renews an OAuth token using Azure Key Vault. We’ll show you how to securely store your client ID and client secret in Azure Key Vault, then use Power Automate to retrieve and renew the token based on its expiry date. This approach is particularly useful for teams managing multiple APIs, as it streamlines credential management and enhances security.

What this topic will go through:

  • How to create a scheduled Power Automate flow that updates a Key Vault secret, such as an OAuth token, when it nears expiry.
  • How to securely store and manage your API credentials in Azure Key Vault, protecting client IDs and secrets.
  • How to create and configure an Azure AD App registration to securely manage access to Azure Key Vault, allowing Power Automate to retrieve secrets or make HTTP calls for token renewal.

Prerequisites:

  • Access to create and manage Azure Key Vaults.
  • Access to create and manage Azure App registrations.
  • A Power Automate Premium license to use HTTP actions.

This guide is designed to work with any API, so feel free to follow along using your preferred service. For this example, we’ll use the Discord API:



Getting Started: An Introduction to create Key Vaults for Beginners

Lets start with creating an Azure key vault, with two key vaults secrets. Make your way and login to the Azure portal (Microsoft Azure) and follow below:

Search for “Key vaults” and navigate to the service

Click “Create” once in the menu to create a new Key Vault. If you already have an existing Vault, you can skip the instructions on creating a new one.

Select your existing Subscription, Resource Group you want it to “live in” and give the new key vault a name that’s not been taken (e.g: *YourName*-Key-Vault) and select your Region. When you’re done, click on “Review + create”.

Click on “Create” on the next page to start the creation.

The creation will take a few seconds and when it’s complete, click on the “Go to resource” button.

Create/Generate two secrets where each of them has one value… One secret has the value of client-id and the other value of client-credentials.

Great! Now we’ve setup the Azure Key Vault, next we’re going to use the Azure App registration to create an application that gives us the proper access to interact with this new Azure Key Vaults through API calls. This is because the default Power Automate – Key Vault connector is limited to what we are going to do!


Creating the Key Vaults API application for our HTTP update requests in Power Automate

This API application is designed to allow for updating our Key Vault secrets through the Power Automate HTTP action, as the Power Automate Key Vault connector does not have an action for updating Key Vault secrets.

First navigate to the “App registration” service in Azure Portal and click on “New registration

When registering, make sure to give it a recognizable name to identify what it’s used for. In my case I called it “Key Vaults API”. Click on “Register” to finish.

Now that’ the App is created, let’s go ahead and configure the permissions to our Key Vaults service. Navigate to the “API permissions” and click on “Add a permission“.

A new “Blade” will pop up (I hate this reference), click on the “Azure Key Vault” service.

Add the permissions as seen above.

Now the last few configurations that we need before we’re done with the whole Key Vault thing… Save the Client secret value

Go to Overview tab and save the Application ID as well.

Navigate to the Key Vault page and create a new Access policy for our application. Go to “Access policies” and click on “Create”.

Set the minimal permissions needed for the application. We are only giving the API application the rights to “Get” and “Set” operators (only these are dependent for the rest of the tutorial).

Skip the optional part to get to “Review + create” and click “Create”.

You’ve now managed to setup your new Azure Key Vaults! Next up is creating the flow for auto-updating the token!


Creating the Power Automate flow to get the OAuth token and its lifecycle information

For this auto-update scenario, create a new flow that is specifically triggered by “Recurrence” and set it to any interval, as long as it does not interfere with our initial testing. Set it in the value of seconds (e.g. 100000 seconds). Additionally, add two new actions to get the Key Vault secrets, and then add an HTTP action to get the OAuth token from Discord (or the API of your preference). Use the secret values from the two Key Vault secrets actions for “client-id” and “client-credential” in the HTTP action.

The beginning of the flow should end up looking like this:

Now save and run the flow once. Copy the whole JSON body, and go back to edit this flow. The copied information will later be used to parse the response in the next step.

Back in “Edit” mode, add a “Parse JSON” action to the flow.

Click on the “Generate from sample” and paste it in the body copied from previous step. Before you finish, make sure to keep the expire_in value. Next, create a third Key Vault secret with an empty value, and then adjust the trigger recurrence value to match the expiration value. Now, you can save your flow if you haven’t done so already… 💾

 

Go back to Azure Key Vault and create the third key vault secret with an empty value.

Building the flow to update the access token value in Azure Key Vaults

Great! Now the last part that’s left is adding the things that will make this flow to automate itself. 

Now go back to edit the Power Automate flow and set the Trigger Interval to match your token’s expiration value from the same response. However, since I’m always on the safe side, I personally set it a bit shorter instead (e.g. 604740 seconds).

Add a “HTTP” action with POST method with the following information:

URI:

https://login.microsoftonline.com/{directory-tenant}/oauth2/v2.0/token

Header:

Content-Type = application/x-www-form-urlencoded

Body:

client_id={app_client_id}&client_secret={app_client_secret}&grant_type=client_credentials&scope=https://vault.azure.net/.default

Cool, now save the flow and run it. Again, we want the response body and parse it as well, generating from sample and then go back to edit mode.

Add a parse action. Content: Dynamic body value. Generate from sample: Paste in the  body values in clear text from last run and click “Done”.

Now use the parsed outputs to update the Azure Key Vault secret “discord-api-oauth-token” as seen on the picture below:

URI:

https://{vault name}.vault.azure.net/secrets/{secret name}?api-version=7.3

Header:

Authorization = Bearer {token from previous HTTP call}

Body:

{

"value": "{new access token}

}

And last but not least, especially before you run the flow!…

Make sure your settings for all of the HTTP-actions has these settings turned on. It will hide the credential details in the logs.

Nice work! You’ve made it to the end of the tutorial! Now a quick recap!


Summary

We’ve successfully created an Azure Key Vault with secret values where we are storing our API credentials (client ids, client secrets, OAuth tokens)

  • We’ve successfully setup an API application with token through Azure AD App registration to use API calls with the Graph API serv.
  • We’ve successfully scheduled a Power Automate flow to update a Key Vault secret (in this case an OAuth token stored as a Key Vault Secret) independently. This means that all your future Power Automate flows will only need to relate to the token, without an authentication. This is especially great for big consulting companies with many different client credentials towards different services in-house – where a new developer only need to relate to the token instead, making it a more secure framework.

In my personal projects, I take advantage of the Key Vault so much that I don’t even need to remember the client_id or client_secret anymore and am only invoking the automatically updated token as seen on the example below. 😎

Comments

4 responses to “Power Automate: Store your API Access tokens in Azure Key Vaults and automatically renew them!”

  1. Sarah Avatar
    Sarah

    Thanks for this, the part where you update the secret via HTTP Put is exactly what I was looking for.

  2. Nick Thoman Avatar

    Perfect! Just Perfect! You need to post a Venmo QR Code so people can thank you. 🙂

    One Question, do you know if there is a way to post the expiration date when you update the Secret via the API?

    1. Dennis Chi Avatar

      Hi, Nick!

      Sorry for the late response, been on a hiatus for a while now. But to respond to your question, I did a little digging and I think there’s an endpoint to change the Key Vault expiration date, see: Key Vaults – Update Key operation

      What this means is that you need to create a new HTTP action after updating, using the updated “expires in” information from the HTTP- Update Azure Key Vault and use that value to update the Key Vault “exp” key-value pair.

      Hope this would help.

      1. Jono Avatar
        Jono

        This post has been really helpful for figuring this stuff out, thanks.

        You can set the expiration date as part of the PUT operation though – you don’t need to make a seperate API call to update it later.

        This is what the body of the PUT operation would look like:

        {
        “value”: “@{body(‘HTTP_-_Get_new_access_token’)?[‘access_token’]}”,
        “attributes”: {
        “exp”: “@{add(div(sub(ticks(utcNow()),ticks(‘1970-01-01Z00:00:00’)), 10000000),body(‘HTTP_-_Get_new_access_token’)?[‘expires_in’])}”
        }
        }

        The exp value function is getting the unix timestamp and adding the expires_in value from the new token.

        It could also be worth updating the URI to use api version 7.4, although 7.3 still works.

        The documentation for this is here (the link above references keys, not secrets): https://learn.microsoft.com/en-us/rest/api/keyvault/secrets/set-secret/set-secret?view=rest-keyvault-secrets-7.4&tabs=HTTP#secretattributes

Leave a Reply

Your email address will not be published. Required fields are marked *