Solved: Get secret from Key Vault Web Activity

k_foxy · ‎04-30-2025

Hi

I think there is a bug in Fabric, I am trying to get secret from key vault, using Web connection.

I want to authenticate using service principal which is workspace identity, it has Role of Key Vault Secrets User
Key vault is open to all networks no firewall or networking

Whatever details I put in the web activity the actual details for Service Principal or random strings always get the same error:

I tired web activity in pipeline but it does not work, the web activity display only work "error" without any details. Are there any settings that I am missing?



v-saisrao-msft · ‎05-06-2025

Hi @k_foxy,
To target a different environment (such as test or prod), you’ll need to create a new connection that points to the appropriate Key Vault for that environment.
Once created, you can update the Web activity in your pipelines to use the new connection accordingly.

Since the connection URL can’t be parameterized at the moment, switching environments requires manually changing the connection reference in the pipeline.

If this post helps, then please give us ‘Kudos’ and consider Accept it as a solution to help the other members find it more quickly.

Thank you.

View solution in original post

v-saisrao-msft · ‎05-04-2025

Hi @k_foxy,
I hope this information is helpful. Please let me know if you have any further questions or if you'd like to discuss this further. If this answers your question, please Accept it as a solution and give it a 'Kudos' so others can find it easily.
Thank you.

rohit1991 · ‎05-01-2025

Hi @k_foxy ,

It sounds like you're encountering an issue with service principal authentication while attempting to retrieve a secret from Azure Key Vault using a Web activity in a Fabric pipeline. Based on the screenshot and your explanation, the error message indicates that the refresh token has expired or that OAuth authentication isn't being properly handled.

Even though the Key Vault is accessible from all networks and your service principal has the correct Key Vault Secrets User role, the Web activity doesn't seem to support full OAuth authentication using service principal credentials directly.

In Fabric, Web activity is limited in terms of providing detailed errors and may not support OAuth flows in the way needed for secure Key Vault access. Instead, consider using a Web activity with a managed identity (if available) or move the secret retrieval logic to a Dataflow Gen2 with proper Key Vault connection setup, or an Azure Function that handles the token acquisition and secret retrieval more robustly. Additionally, confirm that the service principal you're using is registered properly and that you're passing the correct token endpoint and headers in the request if doing it manually.

Passionate about leveraging data analytics to drive strategic decision-making and foster business growth.

Connect with me on LinkedIn: Rohit Kumar.

v-saisrao-msft · ‎05-01-2025

Hi @k_foxy,

Thank you for reaching out to the Microsoft Fabric Forum Community.

Based on the error message regarding the expired refresh token and the consistent failure regardless of the credentials entered while it may seem like the activity supports service principal credentials directly, it does not natively support the full OAuth 2.0 client credentials flow required to authenticate a service principal with Azure Key Vault. This explains why even with correct credentials, the connection attempt fails.

Try using a Managed Identity if your Fabric workspace supports it. This is the most seamless and secure method, as it allows Fabric to authenticate directly with Azure Key Vault without manually managing secrets. Ensure that the managed identity is granted the "Key Vault Secrets User" role at the Key Vault level, and configure the Web Activity with the correct Key Vault URL.

If Managed Identity is not an option, a reliable alternative is to create an Azure Function or Logic App that handles the OAuth token exchange using your service principal and retrieves the secret from the Key Vault. The Web Activity in Fabric can then call this function securely.

Additionally, double-check that the Tenant ID, Client ID, and Client Secret being used are accurate, not expired, and correspond to the registered application in Azure Active Directory. Also, ensure that the Key Vault’s network settings allow access from all networks, as you’ve mentioned, and that there are no additional access restrictions in place.

If this post helps, then please give us ‘Kudos’ and consider Accept it as a solution to help the other members find it more quickly.

Thank you.

k_foxy · ‎05-06-2025

I was able to fix it, I was given incorect value for SP secret value.

The web activity allows me to connect to a dev keyvault, but how do I change it after deployment to test and prod. It cannot be parameterised so it is hardcocded to dev?

v-saisrao-msft · ‎05-06-2025

Hi @k_foxy,
To target a different environment (such as test or prod), you’ll need to create a new connection that points to the appropriate Key Vault for that environment.
Once created, you can update the Web activity in your pipelines to use the new connection accordingly.

Since the connection URL can’t be parameterized at the moment, switching environments requires manually changing the connection reference in the pipeline.

If this post helps, then please give us ‘Kudos’ and consider Accept it as a solution to help the other members find it more quickly.

Thank you.

Get secret from Key Vault Web Activity

Helpful resources

Join our Fabric User Panel

Fabric Monthly Update - June 2025

Fabric Community Update - June 2025

Join the #PBI10 DataViz contest

Get secret from Key Vault Web Activity

Helpful resources

Join our Fabric User Panel

Fabric Monthly Update - June 2025

Fabric Community Update - June 2025