Power Automate Guide for Cloud Connector for Azure

Power Automate End-to-End Guide

This walkthrough assumes you are a new Trusted Signatures customer who wants to seal PDFs automatically. You will create a Trusted Signatures account, deploy Cloud Connector for Azure (the Azure Function provided in this repo), and build a Power Automate flow that seals OneDrive documents and stores the sealed versions in another folder.

Data Flow & Privacy Explained

Power Automate Flow: Collects the PDF (e.g., from OneDrive) and sends it to the gateway running inside your Azure tenant.
Azure Trusted Signatures Gateway: Executes the sealing logic locally. The raw PDF never leaves your Azure infrastructure. The gateway computes the required digest and assembles the sealing request.
Trusted Signatures API: Only receives the SHA digest needed to apply the signature. No PHI/PII, metadata or document content traverses Trusted Signatures infrastructure.

Implications for PHI/PII/confidential data:

Sensitive content remains inside your Azure environment, under your compliance boundary.
Trusted Signatures only processes the cryptographic digest and cannot reconstruct the original document or any metadata.
This architecture satisfies scenarios where regulations prevent sharing full documents externally while still leveraging Trusted Signatures sealing service.

1. Create a Trusted Signatures Account & Test API Key

Visit https://secure.trusted-signatures.com and sign up for an account.
After verifying your email and signing in, navigate to API Keys ➜ Create Test Key.
- Note the API Key ID and the API Key (hex string). You will need both for the gateway.
- Keep this key for initial testing; production keys will come later.
(Optional) Download a sample PDF so you can test end-to-end once the gateway is deployed.

2. Deploy the Azure Trusted Signatures Gateway

The gateway is a Node 22 Azure Function that you host once. It can serve any number of identities and API keys; you do not need multiple instances.

2.1 Obtain the Gateway package

Download the latest trusted-signatures-function.zip bundle from Trusted Signatures.
Extract it:
1 2
unzip trusted-signatures-function.zip -d ~/ts-gateway cd ~/ts-gateway
The bundle already includes compiled code, node_modules, deployment scripts, and documentation.

2.2 Provision Azure resources

You only need to do this once per environment (dev/test/prod).

Option A: Bicep template (recommended)

1
2
3
4
5
6
7
az deployment group create \
  --resource-group ts-gateway-rg \
  --template-file deploy/main.bicep \
  --parameters \
      saName=tsgatewaystorage123 \
      functionAppName=ts-gateway-func \
      location=eastus

This single command provisions the Storage Account, Linux consumption Function App (Node 22), and optionally Application Insights.

Option B: Quick CLI script

1
bash deploy/deploy.azcli ts-gateway-rg eastus tsgatewaystorage123 ts-gateway-func

Both options create:

Resource group (ts-gateway-rg)
Storage Account (tsgatewaystorage123)
Linux consumption Function App (ts-gateway-func)

2.3 Publish the Function

1
func azure functionapp publish ts-gateway-func

When the publish completes, note the HTTPS endpoint: https://ts-gateway-func.azurewebsites.net/api/seal-pdf. This is the URL you will use inside Power Automate.

3. Configure Power Automate (OneDrive example)

Goal: whenever a PDF appears in OneDrive:/Incoming, seal it via the Azure Trusted Signatures Gateway and store the sealed PDF in OneDrive:/Sealed.

3.1 Create a custom connector

Open Power Automate ➜ Data ➜ Custom connectors ➜ New custom connector ➜ Import an OpenAPI file.
Upload docs/api/swagger.yaml from the bundle.
Name it Azure Trusted Signatures Gateway.
Set the host to ts-gateway-func.azurewebsites.net and base path /api.
Complete the wizard (no authentication required). The connector now exposes the sealPdf action with form-based inputs.

3.2 Build the flow

Create a new Automated cloud flow named Seal OneDrive PDFs.
Trigger: When a file is created (OneDrive) pointing to the Incoming folder and filtering to .pdf.
Add action Get file content (OneDrive) to retrieve the actual PDF bytes.
Add action Seal PDF (Azure Trusted Signatures Gateway):
- pdfBase64: Dynamic content ➜ File content from the previous step.
- apiKey: Enter your test hex API key or reference an environment variable/Key Vault secret.
- apiKeyId: Enter the API Key ID.
- endpoint: https://api.trusted-signatures.com.
- tsaTimestamp, includeLtv, docmdp: choose as required (defaults are fine if unchecked).
Add action Create file (OneDrive) pointing to the Sealed folder:
- File Name: e.g., Sealed_${triggerOutputs()?['headers']['x-ms-file-last-modified']}__${triggerOutputs()?['body/Name']} or a simpler expression like Sealed_${triggerOutputs()?['body/Name']}.
- File Content: base64ToBinary(body('Seal_PDF_(Azure_Trusted_Signatures_Gateway)')?['sealedPdf']).
Save the flow and run a test by dropping a PDF into the Incoming folder. Within seconds, a sealed version should appear in Sealed.

3.3 Dynamic behavior

Because the connector exposes typed fields, flow designers never touch raw JSON. Every new document automatically passes through the gateway by piping the OneDrive “File content” output into pdfBase64.

4. Move from Test to Production

Once satisfied with the test key, log in to secure.trusted-signatures.com and subscribe to the Publisher or Identity product (depending on your business needs).
Create production API keys against the identity you want to use for signing.
Update your Power Automate environment variable or secret store with the new hex API key and API Key ID.
No changes to the Azure Trusted Signatures Gateway instance are required; a single deployment can serve unlimited identities/keys. Just pass the new credentials in each request.

5. Tips & Troubleshooting

Latency: Expect sub‑second sealing for typical PDFs; large files (near 500 MB) may take longer but should stay under the 2‑second p99 target.
Security: Although the HTTP trigger is anonymous, you can restrict access via Azure API Management, IP restrictions, or Private Endpoints if required.
Monitoring: Use the Function App’s Monitor tab or enable Application Insights to capture logs.
Multiple workflows: Reuse the same Azure Trusted Signatures Gateway endpoint across many Power Automate flows. Only the API key parameters change per call.
Support: If a flow fails, check the error message returned by the connector (body('Seal PDF')?['error']). For runtime issues, consult Azure Function logs and contact Trusted Signatures support with timestamps and sanitized details.

You now have an end-to-end setup: Trusted Signatures account ➜ Azure Trusted Signatures Gateway ➜ Power Automate flows that seal PDFs automatically from OneDrive (or any other source). Expand to other repositories or business processes by reusing the same gateway endpoint and supplying the appropriate API keys.

6. Pricing Overview (Customer Covered)

Azure consumption costs: Because the Azure Trusted Signatures Gateway runs in your subscription, you cover Function App, Storage Account, Application Insights (optional), and networking charges. Consumption plan pricing is typically low for moderate workloads, and you can scale with your usage.
Trusted Signatures subscriptions: Test keys are free. Production usage requires subscribing to the Publisher or Identity plan that matches your needs; billing is handled directly between you and Trusted Signatures.
Power Automate licensing: Ensure your tenant has the appropriate Power Automate licensing (standard vs. premium connectors) for the flow steps you use.

Trusted Signatures does not host or bill for the gateway itself—you control deployment location, scaling, and associated costs, keeping sensitive data within your compliance boundary.