Solved: Circular Error When Trying to Use Key Vault

kewaynes333 · ‎06-06-2024

I have a problem that will probably seem silly for experienced data engineers.

I am needing to use Azure Key Vault. In order to do so I had to specify my tenant explictly bc DefaultAzureCredential wasn't working otherwise. So I set up a new app registration.

When I run this code and explicity assign my AZURE_CLIENT_SECRET from the app registration, the code works fine. However, I know that I should not be exposing secrets. So, I have tried to use the Key Vault to retrieve my app registration secret rather than just simply writing it in the code.

client_secret = client.get_secret("AZURE-CLIENT-SECRET").value

os.environ["AZURE_CLIENT_SECRET"] = client_secret # Replace with your client secret value

# Initialize DefaultAzureCredential for authentication

credential = DefaultAzureCredential()

client = SecretClient(vault_url=key_vault_uri, credential=credential)

The problem I run into is that I need the DefaultAzureCredential to work in order to retrieve my app registration secret. But I need my app registration secret in order to get the DefaultAzureCredential to work.

Any advice?

kewaynes333 · ‎06-12-2024

Thanks for following up. Yes, it appears that using a Managed Identity would be the best approach. However, I'm only using an F2 license. So I decided to instead use a workspace resource as a variable in the notebook. I know that this isn't the most secure approach but it works for what I am trying to accomplish.

View solution in original post

kewaynes333 · ‎06-08-2024

Is enabling a Managed Identity for a workspace only possible with and F64 or higher?

v-cboorla-msft · ‎06-09-2024

Hi @kewaynes333

Yes, Enabling a Managed Identity for a workspace in Fabric is indeed possible, but there are specific requirements. You can create a workspace identity, which is an automatically managed service principal associated with a Fabric workspace. However, workspace identities can only be created in F64 or higher capacities. If your workspace meets this capacity requirement, you can navigate to the workspace settings and set up the identity. Keep in mind that Fabric workspace identities have some differences from Azure managed identities, particularly in their lifecycle, administration, and governance.

For more details please refer : Workspace identity - Microsoft Fabric | Microsoft Learn

I hope this information helps.

Thank you.

v-cboorla-msft · ‎06-11-2024

Hi @kewaynes333

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others.
Otherwise, will respond back with the more details and we will try to help.

Thank you.

kewaynes333 · ‎06-12-2024

Thanks for following up. Yes, it appears that using a Managed Identity would be the best approach. However, I'm only using an F2 license. So I decided to instead use a workspace resource as a variable in the notebook. I know that this isn't the most secure approach but it works for what I am trying to accomplish.

v-cboorla-msft · ‎06-13-2024

Hi @kewaynes333

Glad that you were able to find some insights and thank you for sharing the same with the community as it can be helpful to others.
Please continue using Fabric Community for further queries.

Thank you.

v-cboorla-msft · ‎06-07-2024

Hi @kewaynes333

Thanks for using Microsoft Fabric Community.

Yes, a circular dependency issue where DefaultAzureCredential needs the client secret, but retrieving the secret requires authentication that might also rely on DefaultAzureCredential, this can be a challenge.

Below is the approache to achieve secure access to Azure Key Vault without exposing the secret in your code:

Enable Managed Identity for your application running in Microsoft Fabric even for the initial setup. With managed identity, Azure internally manages the application's service principal and automatically authenticates the application with other Azure services. Managed identity is available for applications deployed to a variety of services. This allows DefaultAzureCredential to acquire a token using the application's identity without needing a client secret. Once you have access with Managed Identity, you can retrieve the client secret from Key Vault for future use.

Please refer the documentation for more details : Authenticate to Azure Key Vault | Microsoft Learn

For additional information please refer : Reading and Writing Secrets in Azure Key Vault Using Microsoft Fabric Notebooks

I hope this information helps. Please do let us know if you have any further queries.

Thank you.