Get certified for free when you join Fabric Data Days 2026 and dive into Fabric, Power BI, SQL, AI, and other essential data skills.
Join now60 Days of Data Days! Live and on-demand sessions, challenges, study groups and more! And it's all FREE!. Join now. Learn more
Trying to create a key vault reference in my manage connections and gateways but im getting a credentials error.
I have Key Vault Contributor and Key Vault Secrets Officer roles on the vault.
I've read this may be due to the firewall, which I have set up where "Allow public access from specified vnets and IP addresses" is on and also "allow trusted microspft services to bupass this firewall".
In my workspaces I use a managed private endpoint to be able to get the secrets from notebooks using notebookutils which works great - assuming the firewall is the issue here, is there any way to use another private endpoint to be able to set up a keyvalt reference, or can this only be done if the vault is opened up to public internet?
Thanks
Solved! Go to Solution.
Hi @TheFifthJoin,
Thanks for reaching out to the Microsoft fabric community forum.
You're right in suspecting that the firewall configuration is likely the cause of the issue you're seeing with the credentials error when setting up a Key Vault reference in Manage Connections and Gateways. While your access permissions on the Key Vault (Contributor and Secrets Officer) are correct, and your private endpoint setup works within notebooks, the key difference here is in how the connection is being made behind the scenes.
The Key Vault reference in Manage Connections and Gateways doesn't currently use the managed private endpoint from your workspace. Instead, it attempts to connect via the public endpoint. If your vault's firewall is configured to allow access only from selected networks even with “Allow trusted Microsoft services to bypass this firewall” enabled this can block the connection, as not all services used by Fabric or Power BI Gateway are considered “trusted” in this context.
At this time, there's no support for assigning a separate private endpoint to gateway-level Key Vault integration, so the setup does require public access to the Key Vault. You might consider temporarily opening up the Key Vault to all networks during the setup, then reverting it back, though of course that depends on your org’s security policies.
I know this can be a bit limiting, and it’s something many users run into when trying to maintain strict network boundaries. If private endpoint support for gateway-level Key Vault access becomes available in the future, it would be a great addition and definitely worth keeping an eye on in the Fabric roadmap or Azure updates.
If I misunderstand your needs or you still have problems on it, please feel free to let us know.
Best Regards,
Hammad.
Community Support Team
If this post helps then please mark it as a solution, so that other members find it more quickly.
Thank you.
Hi @TheFifthJoin,
Thanks for reaching out to the Microsoft fabric community forum.
You're right in suspecting that the firewall configuration is likely the cause of the issue you're seeing with the credentials error when setting up a Key Vault reference in Manage Connections and Gateways. While your access permissions on the Key Vault (Contributor and Secrets Officer) are correct, and your private endpoint setup works within notebooks, the key difference here is in how the connection is being made behind the scenes.
The Key Vault reference in Manage Connections and Gateways doesn't currently use the managed private endpoint from your workspace. Instead, it attempts to connect via the public endpoint. If your vault's firewall is configured to allow access only from selected networks even with “Allow trusted Microsoft services to bypass this firewall” enabled this can block the connection, as not all services used by Fabric or Power BI Gateway are considered “trusted” in this context.
At this time, there's no support for assigning a separate private endpoint to gateway-level Key Vault integration, so the setup does require public access to the Key Vault. You might consider temporarily opening up the Key Vault to all networks during the setup, then reverting it back, though of course that depends on your org’s security policies.
I know this can be a bit limiting, and it’s something many users run into when trying to maintain strict network boundaries. If private endpoint support for gateway-level Key Vault access becomes available in the future, it would be a great addition and definitely worth keeping an eye on in the Fabric roadmap or Azure updates.
If I misunderstand your needs or you still have problems on it, please feel free to let us know.
Best Regards,
Hammad.
Community Support Team
If this post helps then please mark it as a solution, so that other members find it more quickly.
Thank you.
Join us in Barcelona for FabCon and SQLCon, the Fabric, Power BI, SQL, and AI community event. Save €200 with code FABCMTY200.
Join Fabric Data Days 2026: 60 days of free live/on-demand sessions, challenges, study groups, and certification opportunities.
| User | Count |
|---|---|
| 7 | |
| 6 | |
| 5 | |
| 5 | |
| 5 |
| User | Count |
|---|---|
| 20 | |
| 16 | |
| 15 | |
| 15 | |
| 12 |