Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends August 31st. Request your voucher.

Reply
g3kuser
Helper I
Helper I

mssparkutils credentials library in notebook

‎04-08-2025 05:59 AM
Hi
 
With recent support of SPN authentication with Fabric ci-cd libraries, I am trying to deploy pipelines and notebook through SPN. I see the item owner as the SPN.  I have the following code in notebook which doesn't mention any credential. Is this using SPN credentials/User credential/Workspace Identity. 
 
secret_value = notebookutils.mssparkutils.credentials.getSecret(keyvault_url,'secret_name)
mssparkutils.credentials.getToken("https://api.fabric.microsoft.com/")
 
I have not given workspace identity access to key vault so I doubt if secret reading call goes that that auth.
 
I did notice in Monitoring when notebook executed through a pipeline has submitted user for notebook execution as SPN who is the item owner as well.
 
Can anyone help me in understanding the process?
 
Thanks,
 
Gayatri
 
Labels:
Message 1 of 4
1,246 Views
0
1 ACCEPTED SOLUTION
nilendraFabric
Super User
Super User

‎04-08-2025 10:01 AM

Hi @g3kuser 

 

When you call the mssparkutils credentials functions without specifying any explicit credentials or linked service parameters, the runtime automatically uses the identity under which the notebook is executing. In your case, because the notebook is being deployed and run through a Fabric pipeline configured with SPN authentication—and the SPN appears as the item owner—the mssparkutils calls are using the service principal’s credentials.

 

 

In your current setup, since no explicit workspace identity configuration is provided (or its permissions granted for Key Vault access), the secret retrieval and token acquisition calls fall back to using the SPN credentials

View solution in original post

Message 2 of 4
1,213 Views
0
3 REPLIES 3
g3kuser
Helper I
Helper I

‎04-08-2025 04:25 PM

Hi @nilendraFabric 

I am curious to understand how it worked without the need for client secret to be passed to the process.

Message 4 of 4
1,195 Views
0
nilendraFabric
Super User
Super User

‎04-08-2025 10:01 AM

Hi @g3kuser 

 

When you call the mssparkutils credentials functions without specifying any explicit credentials or linked service parameters, the runtime automatically uses the identity under which the notebook is executing. In your case, because the notebook is being deployed and run through a Fabric pipeline configured with SPN authentication—and the SPN appears as the item owner—the mssparkutils calls are using the service principal’s credentials.

 

 

In your current setup, since no explicit workspace identity configuration is provided (or its permissions granted for Key Vault access), the secret retrieval and token acquisition calls fall back to using the SPN credentials

Message 2 of 4
1,214 Views
0
g3kuser
Helper I
Helper I
In response to nilendraFabric

‎04-08-2025 04:24 PM

Thank you for the explanation. As the executing user is SPN I am unable to understand how token was retrieved without the need of client secret to be supplied for the process. 

Message 3 of 4
1,195 Views
0

Helpful resources

Announcements
Fabric July 2025 Monthly Update Carousel

Fabric Monthly Update - July 2025

Check out the July 2025 Fabric update to learn about new features.

July 2025 community update carousel

Fabric Community Update - July 2025

Find out what's new and trending in the Fabric community.

View All