Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

SSIS: Error from ODBC provider when inserting into Always Encrypted table using CMK in Azure Key Store

Tags:

azure-sql-database

odbc

ssis

azure-keyvault

always-encrypted

I'm trying to use SSIS (Visual Studio 2017) to insert data into an Azure SQL table with a column that's encrypted via Always Encrypted, and a column master key stored in Azure Key Vault, but I keep getting errors.

Per advice I've found in other posts, I'm using an ADO.NET destination with the ODBC data provider. The user is an Azure Active Directory user that's provisioned in the Azure SQL database so it's able to log in. It has all key privileges granted to it in the key vault's access policy.

My ODBC connection string looks like this:

DRIVER=ODBC Driver 17 for SQL Server;SERVER=[dbs].database.windows.net;UID=[[email protected]];PWD=[password];Authentication=ActiveDirectoryPassword;DATABASE=[database];ColumnEncryption=Enabled;KeyStoreAuthentication=KeyVaultPassword;KeyStorePrincipalId=[[email protected]];KeyStoreSecret=[password]

I expect that to insert into the table, but it results in this error:

[ADO NET Destination [2]] Error: An exception has occurred during data insertion, the message returned from the provider is: ERROR [CE269] [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Error 12038 sending request to https://[keyvault].vault.azure.net:443 ERROR [CE263] [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Error verifying signature of ECEK. ERROR [CE202] [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]The keystore provider AZURE_KEY_VAULT failed to decrypt the ECEK https://[keyvault].vault.azure.net:443/keys/[cmk]/[version] with RSA_OAEP.

I'm able to successfully insert into the table via SSMS and also via a custom console app, and verify the encryption works as expected. The error only occurs from SSIS.

like image 879
jessewdouglas Avatar asked Oct 16 '22 14:10

jessewdouglas

1 Answers

I spent lot of time lately to make this thing work. If you get the error 12038 with ECEK, then you need to update your master key in Azure SQL db without having :443. That creates the error when ODBC connection tries to match the url with the url in AKV. This is the short answer. I am planning on providing the whole solution as soon as I get some time to do it.

like image 98
SRay Avatar answered Oct 21 '22 05:10

SRay
Sign in to Comment

Related questions

SSIS Script Task : How to log to output using Dts.Log
SSIS Script Task- Connecting the ADO.NET and populating DataTable
BIML Parameterized query on Ole db source
GMT to EST Time zone conversion SSIS/SQL Server
Executing a SSIS package as different user from SSISDB
Where does a Remote SSIS package actually run
Unable to pass a variable value to a stored procedure in ssis
SSIS writing window username instead of service account while logging
SSIS 2008 R2 - "Excel Connection Manager" failed with error code 0xC0202009
Execute Stored Procedure with multiple result sets
Flat file connection manager carriage return/line feed discrepancy
wrong Dates values in ssis
Read from ADLS gen 2 with SSIS
How to make SSIS package dynamically choose the desired connection manager?
Azure Data Factory pipeline to start SSIS Integration Runtime authorization error
How to export data from SQL table to multiple excel files in SSIS?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!