Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Join us at FabCon Vienna from September 15-18, 2025, for the ultimate Fabric, Power BI, SQL, and AI community-led learning event. Save €200 with code FABCOMM. Get registered

Reply
k_foxy
Frequent Visitor

Get secret from Key Vault Web Activity

‎04-30-2025 06:07 AM

Hi

I think there is a bug in Fabric, I am trying to get secret from key vault, using Web connection. 

I want to authenticate using service principal which is workspace identity, it has Role of Key Vault Secrets User
Key vault is open to all networks no firewall or networking

Whatever details I put in the web activity the actual details for Service Principal or random strings always get the same error:

I tired web activity in pipeline but it does not work, the web activity display only work "error" without any details. Are there any settings that I am missing?

 
msedge_STq8afrLwA.png
Labels:
Message 1 of 6
633 Views
0
1 ACCEPTED SOLUTION
v-saisrao-msft
Community Support
Community Support
In response to k_foxy

‎05-06-2025 06:33 AM

Hi @k_foxy,
To target a different environment (such as test or prod), you’ll need to create a new connection that points to the appropriate Key Vault for that environment.
Once created, you can update the Web activity in your pipelines to use the new connection accordingly.

Since the connection URL can’t be parameterized at the moment, switching environments requires manually changing the connection reference in the pipeline.

If this post helps, then please give us ‘Kudos’ and consider Accept it as a solution to help the other members find it more quickly.

 

Thank you.



View solution in original post

Message 4 of 6
452 Views
5 REPLIES 5
v-saisrao-msft
Community Support
Community Support

‎05-04-2025 09:42 PM

Hi @k_foxy,
I hope this information is helpful. Please let me know if you have any further questions or if you'd like to discuss this further. If this answers your question, please Accept it as a solution and give it a 'Kudos' so others can find it easily.
Thank you.

Message 6 of 6
512 Views
0
rohit1991
Super User
Super User

‎05-01-2025 11:44 PM

Hi @k_foxy ,

It sounds like you're encountering an issue with service principal authentication while attempting to retrieve a secret from Azure Key Vault using a Web activity in a Fabric pipeline. Based on the screenshot and your explanation, the error message indicates that the refresh token has expired or that OAuth authentication isn't being properly handled.
 
Even though the Key Vault is accessible from all networks and your service principal has the correct Key Vault Secrets User role, the Web activity doesn't seem to support full OAuth authentication using service principal credentials directly.
 
In Fabric, Web activity is limited in terms of providing detailed errors and may not support OAuth flows in the way needed for secure Key Vault access. Instead, consider using a Web activity with a managed identity (if available) or move the secret retrieval logic to a Dataflow Gen2 with proper Key Vault connection setup, or an Azure Function that handles the token acquisition and secret retrieval more robustly. Additionally, confirm that the service principal you're using is registered properly and that you're passing the correct token endpoint and headers in the request if doing it manually.
 

Passionate about leveraging data analytics to drive strategic decision-making and foster business growth.

Connect with me on LinkedIn: Rohit Kumar.

Message 5 of 6
563 Views
v-saisrao-msft
Community Support
Community Support

‎05-01-2025 02:49 AM

Hi @k_foxy,

Thank you for reaching out to the Microsoft Fabric Forum Community.

 

Based on the error message regarding the expired refresh token and the consistent failure regardless of the credentials entered while it may seem like the activity supports service principal credentials directly, it does not natively support the full OAuth 2.0 client credentials flow required to authenticate a service principal with Azure Key Vault. This explains why even with correct credentials, the connection attempt fails. 

Try using a Managed Identity if your Fabric workspace supports it. This is the most seamless and secure method, as it allows Fabric to authenticate directly with Azure Key Vault without manually managing secrets. Ensure that the managed identity is granted the "Key Vault Secrets User" role at the Key Vault level, and configure the Web Activity with the correct Key Vault URL. 

If Managed Identity is not an option, a reliable alternative is to create an Azure Function or Logic App that handles the OAuth token exchange using your service principal and retrieves the secret from the Key Vault. The Web Activity in Fabric can then call this function securely. 

Additionally, double-check that the Tenant ID, Client ID, and Client Secret being used are accurate, not expired, and correspond to the registered application in Azure Active Directory. Also, ensure that the Key Vault’s network settings allow access from all networks, as you’ve mentioned, and that there are no additional access restrictions in place.

 

If this post helps, then please give us ‘Kudos’ and consider Accept it as a solution to help the other members find it more quickly.

 

Thank you.

 

Message 2 of 6
587 Views
0
k_foxy
Frequent Visitor
In response to v-saisrao-msft

‎05-06-2025 12:40 AM

I was able to fix it, I was given incorect value for SP secret value. 

The web activity allows me to connect to a dev keyvault, but how do I change it after deployment to test and prod. It cannot be parameterised so it is hardcocded to dev?

Message 3 of 6
474 Views
0
v-saisrao-msft
Community Support
Community Support
In response to k_foxy

‎05-06-2025 06:33 AM

Hi @k_foxy,
To target a different environment (such as test or prod), you’ll need to create a new connection that points to the appropriate Key Vault for that environment.
Once created, you can update the Web activity in your pipelines to use the new connection accordingly.

Since the connection URL can’t be parameterized at the moment, switching environments requires manually changing the connection reference in the pipeline.

If this post helps, then please give us ‘Kudos’ and consider Accept it as a solution to help the other members find it more quickly.

 

Thank you.



Message 4 of 6
453 Views

Helpful resources

Announcements
Join our Fabric User Panel

Join our Fabric User Panel

This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.

June FBC25 Carousel

Fabric Monthly Update - June 2025

Check out the June 2025 Fabric update to learn about new features.

June 2025 community update carousel

Fabric Community Update - June 2025

Find out what's new and trending in the Fabric community.

View All