Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Preparing for a certification exam? Ask exam experts all your questions on May 15th. Register now.

Reply
arlindTrystar
Advocate I
Advocate I

Fabric notebook connection to API that requires mTLS authentication

‎03-25-2025 04:48 AM

I need to connect to an API that requires mTLS authentication. I have stored the certificate in Azure Key Vault, and I can retrieve it this way:

certificate = mssparkutils.credentials.getSecret('https://<name>.vault.azure.net/', 'certification-name')

 

So, when I perform a GET request like this: 

requests.get('https://api.endpoint.com/example', headers=headers, cert=cert)

 

I get this error: 

OSError: Could not find the TLS certificate file, invalid path: [REDACTED]

 

How can I solve this?  

 

The problem is that this certificate value is redacted: https://learn.microsoft.com/en-us/fabric/data-engineering/author-execute-notebook#secret-redaction

Labels:
Message 1 of 3
287 Views
0
1 ACCEPTED SOLUTION
spencer_sa
Super User
Super User

‎03-25-2025 07:16 AM

Theoretically a Key Vault secret is only [Redacted] if you try to print() it*.  You should be able to use it 'as is'.
How are you getting from certificate to cert?  Is cert an actual path in your output?  Can you print the path?

 

From the link below, the cert parameter appears to need to be a tuple of the certificate path and the key path.
python requests library mtls

If you're storing the cert / key in the key vault you may need to write these to a temporary file location for the requests to pick them up?  (I've not seen methods of just adding the cert to a loaded string)

* I'm not going to speculate about any bypass methods.

View solution in original post

Message 2 of 3
239 Views
0
2 REPLIES 2
arlindTrystar
Advocate I
Advocate I

‎03-25-2025 08:00 AM

Thank you for your response. Yes, for now it looks like the only option is to write the certificate content to a temporary file location and then pass that file location to the requests library.

However, now the client_secret and client_id that I get from azure key vault are 'REDACTED' and when I pass them to the requests library, it does not work. This is what I'm researching for now. 

But yes, for anyone interested, you should write the certificate to a temporary file and then pass it to requests library. Something like this:

with tempfile.NamedTemporaryFile(delete=False) as cert_file:
            cert_file.write(certificate.encode())
            cert_file.flush()
            cert_path = cert_file.name

where 'certificate' is the certificate content, and the cert_file is the temporary file path, and then you pass cert_file to requests library

Message 3 of 3
233 Views
spencer_sa
Super User
Super User

‎03-25-2025 07:16 AM

Theoretically a Key Vault secret is only [Redacted] if you try to print() it*.  You should be able to use it 'as is'.
How are you getting from certificate to cert?  Is cert an actual path in your output?  Can you print the path?

 

From the link below, the cert parameter appears to need to be a tuple of the certificate path and the key path.
python requests library mtls

If you're storing the cert / key in the key vault you may need to write these to a temporary file location for the requests to pick them up?  (I've not seen methods of just adding the cert to a loaded string)

* I'm not going to speculate about any bypass methods.

Message 2 of 3
240 Views
0

Helpful resources

Announcements
FBCApril_Carousel

Fabric Monthly Update - April 2025

Check out the April 2025 Fabric update to learn about new features.

Notebook Gallery Carousel1

NEW! Community Notebooks Gallery

Explore and share Fabric Notebooks to boost Power BI insights in the new community notebooks gallery.

April2025 Carousel

Fabric Community Update - April 2025

Find out what's new and trending in the Fabric community.

View All