Earn a 50% discount on the DP-600 certification exam by completing the Fabric 30 Days to Learn It challenge.
Hi,
A question was raised today about best methods to secure authentication information when calling an external API.
For example, a specific API I am calling uses the user, key and secret in the request header. In the implementation I have setup, I am using the Web/Advanced connector:
While this works and seems to be an accepted method, anyone who has access to the data set as published to Power BI, can download it and gain access to the authentication informtion.
Apart from ensuring stringent access controls to publish data sets and reports in the Power BI service, is there any other way to better secure the key and secret?
Thanks
Solved! Go to Solution.
Hi @Anonymous ,
According to the API definition, we need credentials (user, password) to authenticate, which is unavoidable.
For security you can:
1.Disable downloading pbix files in the Admin Portal.
2.Parameterize the connection string of the data source with a blank value.
Please refer to how to parameterize:
How to Parameterize Data Sources in Power BI | phData
Power BI Parameters – How to Use Parameters in the Power BI Service (designmind.com)
Best Regards,
Neeko Tang
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
OK, I am feeling a bit clueless here.
Considering my use case and the API documentation stating the following;
All requests to the API must have the following headers:
User: user-uuid Key: key Secret: Secret
The method I outlined above is realistically the only method available to me? I am talking about this specific API only, not about other API's that might require OAuth or Basic auth.
Also, what is the correct method of dealing with this type of auth in the service? Is is simply a case of setting it to Anonymous Auth and ticking "Skip Test Connection"?
Thanks
Hi @Anonymous ,
According to the API definition, we need credentials (user, password) to authenticate, which is unavoidable.
For security you can:
1.Disable downloading pbix files in the Admin Portal.
2.Parameterize the connection string of the data source with a blank value.
Please refer to how to parameterize:
How to Parameterize Data Sources in Power BI | phData
Power BI Parameters – How to Use Parameters in the Power BI Service (designmind.com)
Best Regards,
Neeko Tang
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Thank you. I hadn't considered using Parameters or disabling downloads. That being said, the details that I would enter in the Data Set parameters within the service will still be visible as plain text.
Maybe there needs to be a suggestion to be able to encrypt fields, similar to how the User and Password fields are encrypted within the Gateway configuration.
Thanks
Hi @Anonymous ,
Calling the API cannot avoid entering relevant privacy information, and for security purposes, you can call the API's access token.
You can refer to the links:
Getting Authentication Access Tokens for Microsoft APIs – BMC Software | Blogs
Power BI connection using Rest API with token auth... - Microsoft Power BI Community
Solved: REST API Get Access Token - Microsoft Power BI Community
Best Regards,
Neeko Tang
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.