Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Be one of the first to start using Fabric Databases. View on-demand sessions with database experts and the Microsoft product team to learn just how easy it is to get started. Watch now

Reply
Eddykleinjan
Frequent Visitor

Secure Key Vault access without Workspace Identity

‎09-07-2024 06:08 AM

Hi,

I'm ready to dive into the first real Fabric project getting data from a specific app's API. This requires using secrets to access the soure data app's API. I don't want to store these secrets in source code (insecure coding) and want to use Azure Key Vault instead. To access the Azure Key vault, the notebook process needs to have access to Azure Key Vault.

Now Fabric has an option to assign a identity to a workspace (workspace identity) and authorize that workspace identity to access the key vault. This souds like a solution, but the catch here is that the workspace identity is only available starting with the Fabric F64 capacity. Since pricing for F64 starts at USD 10k+ per month, that is not an option for us or our customers.

Also note that I would like to run this code (notebook) unattended, so an interactive authentication of the user running the notebook is not an option.

Anyone ran into this? Would love to hear what approach you took.

 

Labels:
Message 1 of 10
955 Views
1 ACCEPTED SOLUTION
9 REPLIES 9
frithjof_v
Community Champion
Community Champion

‎09-09-2024 10:24 AM

Perhaps you can use this:

 

https://learn.microsoft.com/en-us/fabric/data-engineering/notebook-utilities#credentials-utilities

Message 9 of 10
787 Views
Eddykleinjan
Frequent Visitor
In response to frithjof_v

‎09-10-2024 08:09 AM

Thanks for the pointer, that works! It reads the value from the Key Vault both when run interactively and when running the notebook scheduled.

 

When running the notebook scheduled, it seems to run under the account that has created the schedule for the notebook. That way the scheduled notebook run could read the secret from the Azure Key Vault.

 

test_secret = notebookutils.credentials.getSecret('https://<url_to_key_vault>/', '<secret_name>')
# Reverse the value in order to show it. Otherwise it will be shown as '[REDACTED]'
reversed_string = test_secret[::-1]
print (f"Secret value reversed: {reversed_string}")

 

Message 10 of 10
721 Views
Eddykleinjan
Frequent Visitor

‎09-09-2024 12:23 AM

That's good news! Should then work ask hoped for/expected. I'll give it a try.

Message 3 of 10
867 Views
0
Jaimini
Frequent Visitor
In response to Eddykleinjan

‎09-09-2024 08:08 AM

Hi @Eddykleinjan 

  1. The F64+ requirement is no longer valid. You can now create up to 1,000 workspace identities.

  2. Important: Currently, authentication with workspace identities, specifically for Key Vault, is not available.

  3. Interestingly, if you have access to Key Vault with your domain account and run the notebook using the same account, you will be able to access the Key Vault secrets. You can use mssparkutils for this.

  4. Additionally, you can create a Spark job definition using the same code (as mentioned in point 3). If you schedule and run it, it will work, using your account for authentication.

For now, managed/workspace identity authentication for Key Vault is not functioning.

 

@v-jingzhan-msft 

Message 8 of 10
817 Views
v-jingzhan-msft
Community Support
Community Support
In response to Eddykleinjan

‎09-09-2024 01:08 AM

Hi @Eddykleinjan 

I haven't tested whether the workspace identity can access the Azure Key Vault. Could you please share your results with us later? Thank you in advance.

 

Best Regards,
Jing

Message 4 of 10
863 Views
0
Eddykleinjan
Frequent Visitor
In response to v-jingzhan-msft

‎09-09-2024 01:45 AM

Hi Jing,
Will do! For now creating a workspace identity gives an error (status: Failed). Will start a support incident on this error occurs both under a Fabric Trial capacity and a real Fabric F2 capacity.
Best regard, Eddy

Message 5 of 10
856 Views
0
Eddykleinjan
Frequent Visitor
In response to Eddykleinjan

‎09-10-2024 08:14 AM

Hi Jing,

Creating the workspace identity didn't work because the workspace name had special characters in the name, a space in my case. Microsoft had identified this as a problem and will fix this.

@Jaimini reported that accessing the Key Vault is not possible using the workspace identity, I chose to use the notebookutils way that @frithjof_v adviced. That worked; see my reply to his message.

Message 6 of 10
715 Views
v-jingzhan-msft
Community Support
Community Support
In response to Eddykleinjan

‎09-11-2024 01:15 AM

Thank you very much! I really appreciate the results you share!

Message 7 of 10
672 Views
0
codenamesql
Most Valuable Professional
Most Valuable Professional

‎09-08-2024 02:19 PM

Hey @Eddykleinjan, The F64 + requirement is no longer valid for Workspace Identity.  You can now create a workspace identity with any F sku.  This should allow you to accomplish what you are looking for.  

Message 2 of 10
894 Views

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!

Dec Fabric Community Survey

We want your feedback!

Your insights matter. That’s why we created a quick survey to learn about your experience finding answers to technical questions.

ArunFabCon

Microsoft Fabric Community Conference 2025

Arun Ulag shares exciting details about the Microsoft Fabric Conference 2025, which will be held in Las Vegas, NV.

December 2024

A Year in Review - December 2024

Find out what content was popular in the Fabric community during 2024.

View All