Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Special holiday offer! You and a friend can attend FabCon with a BOGO code. Supplies are limited. Register now.

Reply
Ms_Techzill
Regular Visitor

How to Access Azure Key Vault Secrets in Fabric Notebook Using Managed Identity

‎11-27-2025 07:28 AM

I am trying to retrieve secrets from Azure Key Vault in a Microsoft Fabric Notebook using:

 

from notebookutils import mssparkutils

# Use the reference alias and secret names
CONNECTION_STRING = mssparkutils.credentials.getSecret("emailcommunicationkey", "ACS-CONNECTION-STRING")
SENDER = mssparkutils.credentials.getSecret("emailcommunicationkey", "SENDER-EMAIL")

print(CONNECTION_STRING[:15] + "*****")

However, I keep getting this error:

Py4JJavaError Traceback (most recent call last) Cell In[16], line 4 1 from notebookutils import mssparkutils 3 # Use the reference alias and secret names ----> 4 CONNECTION_STRING = mssparkutils.credentials.getSecret("emailcommunicationkey", "ACS-CONNECTION-STRING") 5 SENDER = mssparkutils.credentials.getSecret("emailcommunicationkey", "SENDER-EMAIL") 7 print(CONNECTION_STRING[:15] + "*****") File ~/cluster-env/trident_env/lib/python3.11/site-packages/notebookutils/mssparkutils/credentials.py:27, in getSecret(akvName, secret, linkedService) 25 def getSecret(akvName, secret, linkedService=''😞 26 if linkedService == '': ---> 27 return creds.getSecret(akvName, secret) 28 else: 29 return creds.getSecret(akvName, secret, linkedService)
Labels:
Message 1 of 7
1,294 Views
0
3 ACCEPTED SOLUTIONS
Mauro89
Impactful Individual
Impactful Individual

‎11-28-2025 01:27 AM

Hi @Ms_Techzill,

 

Iam not sure about the error message. But check out this nice video from Patrick. With this it worked for me.

Keep your secrets SAFE in Microsoft Fabric and Azure Key Vault

 

Also good to know that currently the actual notebook owner need to have the Key Vault RBAC rights as delegation to workspace identity or SP is not supported.

 

Best regards!

View solution in original post

Message 2 of 7
1,261 Views
v-hashadapu
Community Support
Community Support

‎11-28-2025 05:05 AM

Hi @Ms_Techzill , Thank you for reaching out to the Microsoft Community Forum.

 

@Mauro89  was right about the core issue, the notebook runs under the user who executes it and that user must have Key Vault secret-read permissions. If they don’t, getSecret() throws the Py4JJavaError you’re seeing.

Your call is also failing because mssparkutils.credentials.getSecret() expects either a properly created linked service alias or the full Key Vault URL. Most of the time the alias doesn’t resolve, so call the vault directly using its endpoint and make sure the notebook runner has a Key Vault secrets role. Once you pass the URL and the user has permissions, the secret loads cleanly.

 

Introduction to Microsoft Spark utilities - Azure Synapse Analytics | Microsoft Learn

Grant permission to applications to access an Azure key vault using Azure RBAC | Microsoft Learn

NotebookUtils (former MSSparkUtils) for Fabric - Microsoft Fabric | Microsoft Learn

Microsoft Spark Utilities (MSSparkUtils) for Fabric - Microsoft Fabric | Microsoft Learn

View solution in original post

Message 7 of 7
1,235 Views
Ms_Techzill
Regular Visitor
In response to Mauro89

‎12-01-2025 08:53 AM

Hello @Mauro89 , thanks so much. I eventually changed it to the vault uri and it worked. Thank you

View solution in original post

Message 5 of 7
1,135 Views
6 REPLIES 6
v-hashadapu
Community Support
Community Support

‎11-28-2025 05:05 AM

Hi @Ms_Techzill , Thank you for reaching out to the Microsoft Community Forum.

 

@Mauro89  was right about the core issue, the notebook runs under the user who executes it and that user must have Key Vault secret-read permissions. If they don’t, getSecret() throws the Py4JJavaError you’re seeing.

Your call is also failing because mssparkutils.credentials.getSecret() expects either a properly created linked service alias or the full Key Vault URL. Most of the time the alias doesn’t resolve, so call the vault directly using its endpoint and make sure the notebook runner has a Key Vault secrets role. Once you pass the URL and the user has permissions, the secret loads cleanly.

 

Introduction to Microsoft Spark utilities - Azure Synapse Analytics | Microsoft Learn

Grant permission to applications to access an Azure key vault using Azure RBAC | Microsoft Learn

NotebookUtils (former MSSparkUtils) for Fabric - Microsoft Fabric | Microsoft Learn

Microsoft Spark Utilities (MSSparkUtils) for Fabric - Microsoft Fabric | Microsoft Learn

Message 7 of 7
1,236 Views
Ms_Techzill
Regular Visitor

‎11-28-2025 03:21 AM

--------------------------------------------------------------------------- Py4JJavaError Traceback (most recent call last) Cell In[49], line 14 7 from azure.keyvault.secrets import SecretClient 11 # ====== Load secrets from Azure Key Vault ====== 12 13 # Replace "kv-emailcomm" with your actual Key Vault connection name in Fabric ---> 14 CONNECTION_STRING = mssparkutils.credentials.getSecret("emailcommunicationkey", "ACS-CONNECTION-STRING") 15 SENDER = mssparkutils.credentials.getSecret("emailcommunicationkey", "SENDER-EMAIL") 19 # Initialize EmailClient File ~/cluster-env/trident_env/lib/python3.11/site-packages/notebookutils/mssparkutils/credentials.py:27, in getSecret(akvName, secret, linkedService) 25 def getSecret(akvName, secret, linkedService=''): 26 if linkedService == '': ---> 27 return creds.getSecret(akvName, secret) 28 else: 29 return creds.getSecret(akvName, secret, linkedService)

Message 6 of 7
1,217 Views
0
Ms_Techzill
Regular Visitor

‎11-28-2025 03:13 AM

@Mauro89 , thank you for your response.  I have watched the video and when I try to run the api_key from my part it shows ["redacted"] just as that of the video. However, when I included it in my code I have the below
code



from notebookutils import mssparkutils
import pandas as pd
import io
import base64
from azure.communication.email import EmailClient
from azure.keyvault.secrets import SecretClient



# ====== Load secrets from Azure Key Vault ======

#  Replace "kv-emailcomm" with your actual Key Vault connection name in Fabric
CONNECTION_STRING = mssparkutils.credentials.getSecret("emailcommunicationkey", "ACS-CONNECTION-STRING")
SENDER = mssparkutils.credentials.getSecret("emailcommunicationkey", "SENDER-EMAIL")



# Initialize EmailClient
client = EmailClient.from_connection_string(CONNECTION_STRING)

# ====== Load churn data from Spark ======
df = spark.read.load(
    ""
)
churn_alert = df.toPandas()

# ====== Filter for test email (optional) ======
# If you want to send all data, skip this filter
# If you want only rows for girl, uncomment below:
# churn_alert = churn_alert[churn_alert['email'] == ' ']

# Create CSV attachment
csv_buffer = io.StringIO()
churn_alert.to_csv(csv_buffer, index=False)
csv_base64 = base64.b64encode(csv_buffer.getvalue().encode()).decode()

# Email Content
plain_text_content = (
    f"Hello friend,\n\n"
    "Hope you’re doing well. This is a test\n\n"
    "Best regards,\ntesting team"
)

# Prepare message
message = {
    "senderAddress": SENDER,
    "recipients": {"to": [{"address": " "}]},
    "content": {
        "subject": "Churn Alert: Your Customers at Risk",
        "plainText": plain_text_content
    },
    "attachments": [
        {
            "name": "churn_report.csv",
            "contentType": "text/csv",
            "contentInBase64": csv_base64
        }
    ]
}

# Send email
try:
    poller = client.begin_send(message)
    result = poller.result()
    print(f" Email sent to " " | Message ID: {result['id']}")
except Exception as e:
    print(f" Failed to send email: {e}")


this is the output
--------------------------------------------------------------------------- Py4JJavaError Traceback (most recent call last) Cell In[49], line 14 7 from azure.keyvault.secrets import SecretClient 11 # ====== Load secrets from Azure Key Vault ====== 12 13 # Replace "kv-emailcomm" with your actual Key Vault connection name in Fabric ---> 14 CONNECTION_STRING = mssparkutils.credentials.getSecret("emailcommunicationkey", "ACS-CONNECTION-STRING") 15 SENDER = mssparkutils.credentials.getSecret("emailcommunicationkey", "SENDER-EMAIL") 19 # Initialize EmailClient File ~/cluster-env/trident_env/lib/python3.11/site-packages/notebookutils/mssparkutils/credentials.py:27, in getSecret(akvName, secret, linkedService) 25 def getSecret(akvName, secret, linkedService=''😞 26 if linkedService == '': ---> 27 return creds.getSecret(akvName, secret) 28 else: 29 return creds.getSecret(akvName, secret, linkedService) File ~/cluster-env/trident_env/lib/python3.11/site-packages/py4j/java_gateway.py:1322, in JavaMember.__call__(self, *args) 1316 command = proto.CALL_COMMAND_NAME +\ 1317 self.command_header +\ 1318 args_command +\ 1319 proto.END_COMMAND_PART 1321 answer = self.gateway_client.send_command(command) -> 1322 return_value = get_return_value( 1323 answer, self.gateway_client, self.target_id, self.name) 1325 for temp_arg in temp_args: 1326 if hasattr(temp_arg, "_detach"😞

Message 3 of 7
1,150 Views
0
Mauro89
Impactful Individual
Impactful Individual
In response to Ms_Techzill

‎12-01-2025 07:34 AM

Hi @Ms_Techzill,

 

I guess your Key Vault URI is not correct. Thats where you wrote "emailcommunicationkey", so the first parameter in the "get_secret" function. 

Here acutally your "Vault URI" needs to be passed. This you can find if you open you Key Vault and go to the overview (marked in red):

Mauro89_0-1764603251567.png

 

Then the second parameter as being the acutal name of the secret.

 

This should work then as expected.

 

Best regards!

 

Message 4 of 7
1,146 Views
0
Ms_Techzill
Regular Visitor
In response to Mauro89

‎12-01-2025 08:53 AM

Hello @Mauro89 , thanks so much. I eventually changed it to the vault uri and it worked. Thank you

Message 5 of 7
1,136 Views
Mauro89
Impactful Individual
Impactful Individual

‎11-28-2025 01:27 AM

Hi @Ms_Techzill,

 

Iam not sure about the error message. But check out this nice video from Patrick. With this it worked for me.

Keep your secrets SAFE in Microsoft Fabric and Azure Key Vault

 

Also good to know that currently the actual notebook owner need to have the Key Vault RBAC rights as delegation to workspace identity or SP is not supported.

 

Best regards!

Message 2 of 7
1,262 Views

Helpful resources

Announcements
November Fabric Update Carousel

Fabric Monthly Update - November 2025

Check out the November 2025 Fabric update to learn about new features.

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All
Top Solution Authors
View All