Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Get certified in Microsoft Fabric—for free! For a limited time, the Microsoft Fabric Community team will be offering free DP-600 exam vouchers. Prepare now

Reply
datakohai12
Frequent Visitor

Microsoft Fabric connect to Azure Key Vault

Greetings everyone, 

 

I am trying to establish a connection between my Microsoft Fabric notebook and an Azure KeyVault to access some secrets. Unfortunately, I am facing an issue with MSI while using Power BI, as it keeps timing out when trying to obtain a token. Any suggestions on how to resolve this issue would be greatly appreciated. Thank you.

3 ACCEPTED SOLUTIONS
GeethaT-MSFT
Community Support
Community Support

@datakohai12  Thanks for sharing the steps Fabric currently does not support managed identity authentication which is what this is trying to authenticate via.  Until that's fully integrated, there's a simple workaround.  As long as you are executing notebook has access to the vault, the below will work.  

from trident_token_library_wrapper import PyTridentTokenLibrary as tl

access_token = mssparkutils.credentials.getToken("keyvault")

tl.get_secret_with_token("https://vaultName.vault.azure.net/","secretName",access_token)

Regards

Geetha

 

View solution in original post

@datakohai12 It wouldn't be present in pypi

you should be able to execute that code directly in your Trident notebook if you're not able to send over a screenshot of the error.

 

Regards

Geetha

View solution in original post

Interesting is now working. Thanks.

View solution in original post

13 REPLIES 13
ritikesh
Microsoft Employee
Microsoft Employee

Yes, I'm have access to the fabric in it's tenant and the key vault in another tenant.

This is the error I received:

File ~/cluster-env/clonedenv/lib/python3.10/site-packages/py4j/protocol.py:326, in get_return_value(answer, gateway_client, target_id, name)     324 value = OUTPUT_CONVERTER[type](answer[2:], gateway_client)    325 if answer[1] == REFERENCE_TYPE:--> 326     raise Py4JJavaError(    327         "An error occurred while calling {0}{1}{2}.\n".     328         format(target_id, ".", name), value)    329 else:    330     raise Py4JError(    331         "An error occurred while calling {0}{1}{2}. Trace:\n{3}\n".     332         format(target_id, ".", name, value)) Py4JJavaError: An error occurred while calling o6042.getSecretWithToken. : java.io.IOException: 401 {"error":{"code":"Unauthorized","message":"AKV10032: Invalid issuer. Expected one of xxxxxxxxxx________, xxxxxxxxxx________, xxxxxxxxxx________, found xxxxxxxxxx________  at com.microsoft.azure.trident.tokenlibrary.TokenLibrary.getSecretWithToken(TokenLibrary.scala:804)   at com.microsoft.azure.trident.tokenlibrary.TokenLibrary$.getSecretWithToken(TokenLibrary.scala:1347)   at java.base/jdk.internal.reflect.NativeMethodAccessorImpl

 

ritikesh
Microsoft Employee
Microsoft Employee

I'm get the same invalid issuer notebook and am using the PyTridentTokenLibrary but the notebook and KeyVault are in different tenants. Is there a workaround for this ? Or is the managed identity method available now?

 

@ritikesh managed identity authentication is till not available. do you have access to the KeyVault with your account? could you please share the snapshot of the code/error?

GeethaT-MSFT
Community Support
Community Support

@datakohai12  Thanks for sharing the steps Fabric currently does not support managed identity authentication which is what this is trying to authenticate via.  Until that's fully integrated, there's a simple workaround.  As long as you are executing notebook has access to the vault, the below will work.  

from trident_token_library_wrapper import PyTridentTokenLibrary as tl

access_token = mssparkutils.credentials.getToken("keyvault")

tl.get_secret_with_token("https://vaultName.vault.azure.net/","secretName",access_token)

Regards

Geetha

 

Hi!  How do we give the executing notebook as access to the key vault?

Hi @blhart216beazer 

 

As long as you are using the same account for running the notebook and having access to KeyVault with the same account, you can extract secret from KeyVault and use them in notebook. 

 

Anonymous
Not applicable

@GeethaT-MSFT 

I have used the above code to mount the data lake gen2 using notebook in microsoft fabric and getting below error - An error occurred while calling o4394.getSecretWithToken. : java.io.IOException: 401 {"error":{"code":"UnauCapture.PNGthorized","message":"AKV10032: Invalid issuer.

 

 

 

Hi Geetha,

I apologize for the delayed response. Thanks for the workaround; I am using it now, though I am having trouble finding trident_token_library_wrapper. Could you direct me to it in PyPi?

@datakohai12 It wouldn't be present in pypi

you should be able to execute that code directly in your Trident notebook if you're not able to send over a screenshot of the error.

 

Regards

Geetha

Interesting is now working. Thanks.

Good to hear that it is now working for you,
Thanks for visiting Fabric Community have a great day!

 

Regards

Geetha

GeethaT-MSFT
Community Support
Community Support

Hi @datakohai12 Thanks for posting your question in Microsoft Fabric Community

Can you please share the steps you have followed or any screenshot of the error.

Regards

Geetha

Hi,

The following are my steps:

  1. Created a Synapse Data Engineering Notebook
  2. Granted the Power BI Service Account Get permissions via Access Policy in the Azure Key Vault

Here is a screenshot of the code and the error message:

datakohai12_0-1687793837978.png

 

Helpful resources

Announcements
September Hackathon Carousel

Microsoft Fabric & AI Learning Hackathon

Learn from experts, get hands-on experience, and win awesome prizes.

October NL Carousel

Fabric Community Update - October 2024

Find out what's new and trending in the Fabric Community.