Get Secret from Azure Key Vault using Fabric Works...

sean_cochran · ‎08-14-2025

Users can access key vault secrets using notebookutils.credentials.getSecret. This is based purely on the user's access (or object owner's access, if the notebook is being run in a pipeline). In larger organizations, managing access at the individual level is not scalable. It would be preferable to associate key vault privileges with a service principal so that connections keep running if a particular user leaves the business.

The workspace identity is an obvious candidate to be given key vault permissions. While this is technically possible - we can add key vault privileges to a workspace identity's associated entra ID app service principal - the service principal's credentials are not used by the notebookutils.credentials.getSecret method. (At least based on my current understanding - this seems to be a known limitation if you read related posts in the Fabric user forums as of August 2025).

Please make it possible to access key vault secrets using workspace identities.

gpetrites · ‎09-09-2025

It is crazy how many places in Fabric the workspace identity can NOT be used. For a service intended to support enterprises, this dependency on user identities is unacceptable.

sean_cochran · ‎01-22-2026

For anyone who liked this idea - there is now a workaround. Notebook connections can be used in a pipeline to force an SP's credentials to be used when making a key vault call. Not perfect, but it's something.

Get Secret from Azure Key Vault using Fabric Workspace Identity

Fabric SQL Database dynamic data masking doesn't w...

Allow Fabric SQL Authentication via Service Princi...

Pipeline Failure Alert

Fabric Monitor Hub (out of the box alerts)

Pipelines Scheduled Send Email Notification of Fai...

Get Fabric certified for FREE!