Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends September 15. Request your voucher.

Reply
dolphinantonym
Frequent Visitor

Using Key Vault secrets in Notebooks from Workspace identities

‎08-01-2025 09:04 AM

My Workspace has an identity that is allowed to access a Key Vault that contains secrets for accessing an API.

 

When I try and access the secret from Notebooks (using notebookutils.credentials.getSecret(keyVaultURL, secretName)) I keep getting 403 errors.

 

The error references an oid which matches my personal Entra ID, so this makes sense because I do not have personal access to view secrets in the vault.

 

What do I need to do to force the Notebook to use the Workspace identity rather than my own?

Labels:
Message 1 of 12
1,444 Views
11 REPLIES 11
dolphinantonym
Frequent Visitor

‎08-06-2025 06:34 AM
@youdao4 wrote:

  1. 🧠 Use TokenLibrary.getAccessToken() instead:
    If notebookutils.credentials.getSecret() isn’t using the Workspace identity, it’s likely falling back to your user context. Try using this method instead:

from notebookutils import mssparkutils
token = mssparkutils.credentials.getToken("https://vault.azure.net")

Can you elaborate on that? You mention using getAccessToken but then the example uses getToken(). In either case, do I need to provide an argument for the name of the secret as with getSecret()?

Message 10 of 12
1,277 Views
dolphinantonym
Frequent Visitor
In response to dolphinantonym

‎08-06-2025 09:51 AM

The whole problem is that I can't retrieve tokens from the Key Vault, because the Notebook uses my identity - which doesn't have access to the Key Vault - rather than the Workspace identity, which does have access.

Message 11 of 12
1,249 Views
Natalie_iTalent
Administrator
Administrator
In response to dolphinantonym

‎08-14-2025 07:07 AM

Hello @dolphinantonym,

Answers to this thread that were inaccurate were removed from the thread.

 

Feel free to message me if you have questions.

 

Best,

Natalie H.

Community Manager 

Message 12 of 12
827 Views
0
spaceman127
Helper III
Helper III

‎08-04-2025 02:30 AM

Hello @dolphinantonym ,

 

Currently, notebook identities are not yet supported for retrieving secrets from a key vault. Only the user identity running the notebook is currently supported for retrieving secrets.

If you want to be able to access your secrets, your executing user must have permission to access the Key Vault.
Unfortunately, this is still a limitation.

I hope that this will happen soon.

 

Edit: Here you can find documentation on what the workspace identity can be used for. 

 

https://learn.microsoft.com/en-us/fabric/security/workspace-identity-authenticate?OR=OfficeMobile

 

Best regards

Message 8 of 12
1,362 Views
dolphinantonym
Frequent Visitor
In response to spaceman127

‎08-04-2025 02:48 AM

@AJ1093 do you understand things differently given this comment of yours?

The default behavior in Microsoft Fabric Notebooks is to use the user identity unless explicitly configured to use the Workspace identity.

What is the process to "explicitly configure" a Notebook to use the Workspace identity?

Message 9 of 12
1,358 Views
0
v-lgarikapat
Community Support
Community Support

‎08-03-2025 09:14 PM

Hi @dolphinantonym ,

Thanks for reaching out to the Microsoft fabric community forum.

@AJ1093 

Thanks for your prompt response,

 

In Addition to  @AJ1093 ,

 Solved: Access Key-vault in notebooks - Microsoft Fabric Community

Authenticate with Microsoft Fabric workspace identity - Microsoft Fabric | Microsoft Learn

Azure Key Vault Reference overview (Preview) - Microsoft Fabric | Microsoft Learn

 

If you are still encountering any challenges, we would be happy to assist you further.

Best Regards,

Lakshmi

Message 4 of 12
1,379 Views
0
dolphinantonym
Frequent Visitor
In response to v-lgarikapat

‎08-04-2025 01:40 AM
@v-lgarikapat wrote:

 

Authenticate with Microsoft Fabric workspace identity - Microsoft Fabric | Microsoft Learn

 

If you are still encountering any challenges, we would be happy to assist you further.

Best Regards,

Lakshmi

I have run through the steps here (this is what I had done before starting this thread) but I still get 403 errors because I can't figure out how to make the Notebook run using the Workspace Identity rather than my own.

 

Could you elaborate, please?

Message 5 of 12
1,369 Views
0
v-lgarikapat
Community Support
Community Support
In response to dolphinantonym

‎08-06-2025 03:00 AM

Hi @dolphinantonym ,

Thank you for your detailed explanation. It looks like you've already followed the recommended steps, but the issue still persists.

To help resolve this further, I recommend raising a support ticket so our support team can assist you directly.
Please refer to the following link for instructions on how to create a support ticket:

How to create a Fabric and Power BI Support ticket - Power BI | Microsoft Learn

We appreciate your engagement and thank you for being an active part of the community.

Best regards,
Lakshmi

 

Message 6 of 12
1,300 Views
0
v-lgarikapat
Community Support
Community Support
In response to v-lgarikapat

‎08-13-2025 12:16 AM

Hi @dolphinantonym ,

 

We’d like to confirm whether your issue has been successfully resolved. If you still have any questions or need further assistance, please don’t hesitate to reach out. We’re more than happy to continue supporting you.

 

Best Regards,

Lakshmi

Message 7 of 12
934 Views
0
AJ1093
Regular Visitor

‎08-02-2025 02:53 PM

To use Workspace Managed Identity (WMI) instead of your user identity to access Azure Key Vault secrets from Notebooks in Microsoft Fabric, you need to ensure a few configuration steps are completed. Right now, your notebook is using your personal identity (your Entra ID object ID) rather than the workspace identity, which is why you're getting a 403.

Here’s how to fix it:

Grant Access to the Workspace Managed Identity in Key Vault

1. Your Key Vault needs to allow access for the workspace's identity.

2. In Azure Portal, go to your Key Vault.

3. Navigate to Access Control (IAM).

4. Add a role assignment:

a. Role: Key Vault Secrets User (or Key Vault Reader depending on access level).

b. Assign access to: Managed identity.

c. Select: Your Microsoft Fabric workspace identity.

 

Alternatively, if you're using access policies (not RBAC):

1. Go to Key Vault → Access policies.

2. Add an access policy:

a. Select Get secret permissions.

b. Under "Principal", select the Workspace Managed Identity.

 

Ensure Your Notebook Uses the Workspace Identity

The default behavior in Microsoft Fabric Notebooks is to use the user identity unless explicitly configured to use the Workspace identity.

 

To ensure the workspace identity is used:

  • Use the correct Fabric-specific library/methods that support workspace identity. The typical notebookutils.credentials.getSecret(...) may default to your user identity.

 

Instead, you should use the Microsoft Fabric runtime feature that supports workspace identity by default for data access.

If notebookutils.credentials.getSecret(...) is intended to support workspace identity in Fabric, then Microsoft must have implemented it accordingly — however, if it still refers to your personal object ID (OID), then the identity used is your personal one.

 

Workaround:
As of now, Fabric does not allow switching identity in the middle of a Notebook execution. If the default identity used is your user, then your workspace identity must be enforced at a different layer.

 

Please upvote if this fix your issue.

 

Message 2 of 12
1,407 Views
dolphinantonym
Frequent Visitor
In response to AJ1093

‎08-04-2025 01:33 AM
@AJ1093 wrote:
  • Use the correct Fabric-specific library/methods that support workspace identity. The typical notebookutils.credentials.getSecret(...) may default to your user identity.

Instead, you should use the Microsoft Fabric runtime feature that supports workspace identity by default for data access.

Which are the correct Fabric-specific libraries/methods? And which "runtime feature" supports workspace identity?

Message 3 of 12
1,370 Views
0

Helpful resources

Announcements
August Fabric Update Carousel

Fabric Monthly Update - August 2025

Check out the August 2025 Fabric update to learn about new features.

August 2025 community update carousel

Fabric Community Update - August 2025

Find out what's new and trending in the Fabric community.

View All
Top Kudoed Authors
View All