Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now! Learn more

Reply
g3kuser
Helper I
Helper I

mssparkutils credentials library in notebook

‎04-08-2025 05:59 AM
Hi
 
With recent support of SPN authentication with Fabric ci-cd libraries, I am trying to deploy pipelines and notebook through SPN. I see the item owner as the SPN.  I have the following code in notebook which doesn't mention any credential. Is this using SPN credentials/User credential/Workspace Identity. 
 
secret_value = notebookutils.mssparkutils.credentials.getSecret(keyvault_url,'secret_name)
mssparkutils.credentials.getToken("https://api.fabric.microsoft.com/")
 
I have not given workspace identity access to key vault so I doubt if secret reading call goes that that auth.
 
I did notice in Monitoring when notebook executed through a pipeline has submitted user for notebook execution as SPN who is the item owner as well.
 
Can anyone help me in understanding the process?
 
Thanks,
 
Gayatri
 
Labels:
Message 1 of 4
4,874 Views
0
1 ACCEPTED SOLUTION
nilendraFabric
Super User
Super User

‎04-08-2025 10:01 AM

Hi @g3kuser 

 

When you call the mssparkutils credentials functions without specifying any explicit credentials or linked service parameters, the runtime automatically uses the identity under which the notebook is executing. In your case, because the notebook is being deployed and run through a Fabric pipeline configured with SPN authentication—and the SPN appears as the item owner—the mssparkutils calls are using the service principal’s credentials.

 

 

In your current setup, since no explicit workspace identity configuration is provided (or its permissions granted for Key Vault access), the secret retrieval and token acquisition calls fall back to using the SPN credentials

View solution in original post

Message 2 of 4
4,841 Views
0
3 REPLIES 3
g3kuser
Helper I
Helper I

‎04-08-2025 04:25 PM

Hi @nilendraFabric 

I am curious to understand how it worked without the need for client secret to be passed to the process.

Message 4 of 4
4,823 Views
0
nilendraFabric
Super User
Super User

‎04-08-2025 10:01 AM

Hi @g3kuser 

 

When you call the mssparkutils credentials functions without specifying any explicit credentials or linked service parameters, the runtime automatically uses the identity under which the notebook is executing. In your case, because the notebook is being deployed and run through a Fabric pipeline configured with SPN authentication—and the SPN appears as the item owner—the mssparkutils calls are using the service principal’s credentials.

 

 

In your current setup, since no explicit workspace identity configuration is provided (or its permissions granted for Key Vault access), the secret retrieval and token acquisition calls fall back to using the SPN credentials

Message 2 of 4
4,842 Views
0
g3kuser
Helper I
Helper I
In response to nilendraFabric

‎04-08-2025 04:24 PM

Thank you for the explanation. As the executing user is SPN I am unable to understand how token was retrieved without the need of client secret to be supplied for the process. 

Message 3 of 4
4,823 Views
0

Helpful resources

Announcements
December Fabric Update Carousel

Fabric Monthly Update - December 2025

Check out the December 2025 Fabric Holiday Recap!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All