Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Data Days is here! Join us now for 60+ days of learning, challenges, and connection. Learn more

Reply
arlindTrystar
Advocate I
Advocate I

Fabric notebook connection to API that requires mTLS authentication

โ€Ž03-25-2025 04:48 AM

I need to connect to an API that requires mTLS authentication. I have stored the certificate in Azure Key Vault, and I can retrieve it this way:

certificate = mssparkutils.credentials.getSecret('https://<name>.vault.azure.net/', 'certification-name')

 

So, when I perform a GET request like this: 

requests.get('https://api.endpoint.com/example', headers=headers, cert=cert)

 

I get this error: 

OSError: Could not find the TLS certificate file, invalid path: [REDACTED]

 

How can I solve this?  

 

The problem is that this certificate value is redacted: https://learn.microsoft.com/en-us/fabric/data-engineering/author-execute-notebook#secret-redaction

Labels:
Message 1 of 3
1,218 Views
0
1 ACCEPTED SOLUTION
spencer_sa
Impactful Individual
Impactful Individual

โ€Ž03-25-2025 07:16 AM

Theoretically a Key Vault secret is only [Redacted] if you try to print() it*.  You should be able to use it 'as is'.
How are you getting from certificate to cert?  Is cert an actual path in your output?  Can you print the path?

 

From the link below, the cert parameter appears to need to be a tuple of the certificate path and the key path.
python requests library mtls

If you're storing the cert / key in the key vault you may need to write these to a temporary file location for the requests to pick them up?  (I've not seen methods of just adding the cert to a loaded string)

* I'm not going to speculate about any bypass methods.

View solution in original post

Message 2 of 3
1,170 Views
0
2 REPLIES 2
arlindTrystar
Advocate I
Advocate I

โ€Ž03-25-2025 08:00 AM

Thank you for your response. Yes, for now it looks like the only option is to write the certificate content to a temporary file location and then pass that file location to the requests library.

However, now the client_secret and client_id that I get from azure key vault are 'REDACTED' and when I pass them to the requests library, it does not work. This is what I'm researching for now. 

But yes, for anyone interested, you should write the certificate to a temporary file and then pass it to requests library. Something like this:

with tempfile.NamedTemporaryFile(delete=False) as cert_file:
            cert_file.write(certificate.encode())
            cert_file.flush()
            cert_path = cert_file.name

where 'certificate' is the certificate content, and the cert_file is the temporary file path, and then you pass cert_file to requests library

Message 3 of 3
1,164 Views
spencer_sa
Impactful Individual
Impactful Individual

โ€Ž03-25-2025 07:16 AM

Theoretically a Key Vault secret is only [Redacted] if you try to print() it*.  You should be able to use it 'as is'.
How are you getting from certificate to cert?  Is cert an actual path in your output?  Can you print the path?

 

From the link below, the cert parameter appears to need to be a tuple of the certificate path and the key path.
python requests library mtls

If you're storing the cert / key in the key vault you may need to write these to a temporary file location for the requests to pick them up?  (I've not seen methods of just adding the cert to a loaded string)

* I'm not going to speculate about any bypass methods.

Message 2 of 3
1,171 Views
0

Helpful resources

Announcements
Fabric Data Days is here Carousel

Fabric Data Days 2026

Don't miss out on Data Days, June 15 through August 7. Learn Fabric, Power BI, SQL, AI and more.

June Fabric Update Carousel

Fabric Monthly Update - June 2026

Check out the June 2026 Fabric update to learn about new features.

View All