Get Secret from Azure Key Vault in a Microsoft Fabric Notebook
I’ve recently been working with Notebooks in Microsoft Fabric and have needed to get a credentials information that should be kept secure. The obvious place to store such credentials is Azure Key Vault so now we need to get our secret from there.
This is a really short post to help me out when I need a fast explanation on projects.
Azure Key Vault Part
I’ve previously blogged how to setup a key vault and add a secret – https://hatfullofdata.blog/create-azure-key-vault-to-store-id-and-secret/.
For this post I have a vault called LGB-Secrets and it has a secret called SPConnectorSecret.
The vault URI is https://lgb-secrets.vault.azure.net/ which can be calculated from the vault name.
Python to Get Secret from Azure Key Vault
Notebookutils is a built in package for Microsoft Fabric notebooks. It was previously known as MSSparkUtils. It contains plenty of really useful methods to perform tasks with files, environments and credentials. Microsoft’s documentation can be found at :
https://learn.microsoft.com/en-us/fabric/data-engineering/notebook-utilities#credentials-utilities
The method notebookutils.credentials.getSecret requires 2 parameters, vault URI and secret name. This code block looks like this.
azure_key_vault_name = "lgb-secrets"
azure_key_vault_secret_name = "SPConnectorSecret"
azure_key_vault_url = f"https://{azure_key_vault_name}.vault.azure.net/"
client_secret = notebookutils.credentials.getSecret(azure_key_vault_url,azure_key_vault_secret_name)The account being used to run the notebook will need access to the key vault.
Reacted!
The notebook understands that the value you fetched from the key vault should be kept secure. So if you try to print the client_secret it will not show you the result and will show REDACTED instead.
Conclusion
I know this is a very short post, which is a good thing as that means its a simple concept. It is here because I also wanted a short post that contains the code block I want to be able to copy and use easily.
Discover more from Hat Full of Data
Subscribe to get the latest posts sent to your email.
Awesome sauce Laura. Good quick reference! Have you dealt with the requirement to access a key vault that’s in a private network yet? And if so, how did you do it?
Great question Johnny! No I haven’t had to do that one yet. Got any ideas?
Blog comment creation guideReally helpful walkthrough—especially the reminder that `notebookutils.credentials.getSecret` only needs the vault URI and secret name. One thing I’ve run into is keeping track of vault URIs when working across multiple environments; I’ve found it useful to standardize them in a config cell at the start of each notebook. That way it’s easier to swap environments without editing the code block itself.
Really helpful breakdown of using `notebookutils.credentials.getSecret`—the URI construction step is one of those little details that can easily trip people up. I’ve also found that keeping vault names and secret names parameterized in configs makes notebooks more portable across environments. Curious if you’ve run into any challenges when rotating secrets and how that’s handled in Fabric notebooks?
Really helpful breakdown of how to pull secrets into a Fabric notebook.Blog comment creation I’ve noticed some teams forget that the vault URI needs to match the exact vault name format, so your example makes it very clear. Have you run into any quirks when rotating secrets—like whether the notebook picks up the updated value right away or requires a new session?
Thanks for sharing! The explanation of how to pull secrets directly from Azure Key Vault in Fabric Notebooks makes a lot of sense. I’ve been trying to implement something similar, but using the vault URI directly like this simplifies things.
came across a interesting variation on this, which is to grant a fabric workspace access to a key vault, using Managed Identities.
https://suebayes.substack.com/p/how-to-securely-use-azure-key-vault