Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Be one of the first to start using Fabric Databases. View on-demand sessions with database experts and the Microsoft product team to learn just how easy it is to get started. Watch now

Reply
jasonmull
New Member

Protection of API Keys Stored in Parameter

‎12-21-2020 07:13 PM

I'm using PowerBI to pull data from a series of REST APIs.  In all cases, authentication occurs by means of an API key in the request header.  I'm successfully accomplishing this by storing the key in a parameter and referencing the parameter in my query.  My concern is over the security of this process.  Is parameter storage the best method for secure key storage in this case, and what options do I have at my disposal to protect the contents of those parameters as much as possible?

Labels:
Message 1 of 3
4,970 Views
0
1 ACCEPTED SOLUTION
v-shex-msft
Community Support
Community Support

‎12-29-2020 06:38 PM

HI @jasonmull,

As lbendlin said, you can attach your API key directly to the API request. (I think these operations only suitable when you work with a test data source or test in a secure environment)

If you are work with a production environment or do these operations in no security network/devices, they may cause security issues for API key leakage.

For this scenario, It should more suitable to move these verify steps into your query steps and only generate the tokens when your query steps processed. (for the requests which power bi processed, they are been encrypted by power bi)

Power BI security whitepaper 

For example: credilents has been integrated into the query steps instead of use the real strings in send/receive operations.

 let
	rooturl = "https:/xxxx.xxxx.com/",
	authKey = "xxxxx",
	// Use the oauth2/token method to get token based on user credentials.
	GetJson = Web.Contents(rooturl,
		[
			Headers = [#"Authorization"=authKey, #"Content-Type"="application/json"],
			RelativePath="xxx/user/auth"
		]
	),
	//use token name to repalce 'tokne name' part to extract the responsed token
	token = Json.Document(GetJson)['token name'],
	//use generated token to get correspond results
	Source = Web.Contents(rooturl,
		 [
			 Headers = [#"token"=token, #"Content-Type"="application/json"],
			 RelativePath="xxxx/usage/xxxx" 
		 ]
	 ),
	Result=Json.Document(Source)
 in
	Result

Regards,

Xiaoxin Sheng

Community Support Team _ Xiaoxin
If this post helps, please consider accept as solution to help other members find it more quickly.

View solution in original post

Message 3 of 3
4,880 Views
0
2 REPLIES 2
v-shex-msft
Community Support
Community Support

‎12-29-2020 06:38 PM

HI @jasonmull,

As lbendlin said, you can attach your API key directly to the API request. (I think these operations only suitable when you work with a test data source or test in a secure environment)

If you are work with a production environment or do these operations in no security network/devices, they may cause security issues for API key leakage.

For this scenario, It should more suitable to move these verify steps into your query steps and only generate the tokens when your query steps processed. (for the requests which power bi processed, they are been encrypted by power bi)

Power BI security whitepaper 

For example: credilents has been integrated into the query steps instead of use the real strings in send/receive operations.

 let
	rooturl = "https:/xxxx.xxxx.com/",
	authKey = "xxxxx",
	// Use the oauth2/token method to get token based on user credentials.
	GetJson = Web.Contents(rooturl,
		[
			Headers = [#"Authorization"=authKey, #"Content-Type"="application/json"],
			RelativePath="xxx/user/auth"
		]
	),
	//use token name to repalce 'tokne name' part to extract the responsed token
	token = Json.Document(GetJson)['token name'],
	//use generated token to get correspond results
	Source = Web.Contents(rooturl,
		 [
			 Headers = [#"token"=token, #"Content-Type"="application/json"],
			 RelativePath="xxxx/usage/xxxx" 
		 ]
	 ),
	Result=Json.Document(Source)
 in
	Result

Regards,

Xiaoxin Sheng

Community Support Team _ Xiaoxin
If this post helps, please consider accept as solution to help other members find it more quickly.
Message 3 of 3
4,881 Views
0
lbendlin
Super User
Super User

‎12-23-2020 04:20 PM

That's not a good idea. A slightly less desastrous design would be to store the key in an external data source, slap severe access restrictions on that data source, and then pull the data source into Power Query.  That way only the report developer and the gateway connection account need to be given access to that data source. You might still need to add RLS to prevent leakage via Analyze in Excel or other XMLA endpoint tools.

Message 2 of 3
4,928 Views

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!

Dec Fabric Community Survey

We want your feedback!

Your insights matter. That’s why we created a quick survey to learn about your experience finding answers to technical questions.

ArunFabCon

Microsoft Fabric Community Conference 2025

Arun Ulag shares exciting details about the Microsoft Fabric Conference 2025, which will be held in Las Vegas, NV.

December 2024

A Year in Review - December 2024

Find out what content was popular in the Fabric community during 2024.

View All