Working with sensitive data in Microsoft Fabric requires careful handling of secrets, especially when collaborating externally. In a recent customer engagement, I needed to validate access to Azure Key Vault from within a Fabric Notebook, without ever exposing the actual secret values. With only read access granted and no need to manage or update secrets, I focused on confirming that the connection was working as expected.

In this blog, I’ll walk you through the approach, including the setup, code snippets, and logic behind this quick but crucial verification step.

Case

Recently, I had to develop a solution for a customer using Fabric Notebooks. As security is top priority, I asked my counterpart on the customer side to create an Azure Key Vault and only providing me read access. As I was working external for this customer, I do not necessarily need access to the Key Vault itself, nor to update or manage the secrets stored in there.

Though, after deploying the solution, I really wanted to make sure the connection to Key Vault works and made sure everything was in place before I confirmed to the customer that the deployment succeeded.

To test quickly if I could read the secrets from Key Vault, I developed a simple Fabric Notebook (which for many may be easy and straight forward) to check if I get the secrets back from Key Vault.

Note
During the setup, both the workspace identity as well as my developer account were added with read permissions to the Key Vault. Fabric uses the identity of the Notebook executer to authorize to Key Vault. Keep in mind that the Workspace Identity is not used in this setup – which I personally find very odd and unwanted. Hopefully this will change in the future.

Peer Grønnerup wrote an excellent article describing the challenge of understanding under which identity an operation runs.

The actual code

As security is important, I don’t want to print these secrets to screen. Therefore, Notebook recognize the values are actually encrypted and returns the following message:

[REDACTED]

Also, as in this Notebook I’m not interested in further usage of the secrets, I’m just checking if the secrets exist in Key Vault, and whether I can read them (retrieve the secret value). I do this in bulk in the Notebook, just as a check. Below a break-down of the solution setup.

Import utilities
First of all, I’m use the MSSparkUtils package to later use functions so I can create a connection to Key Vault. To import this in your Notebook, you can use the following code snippet:

# Import Fabric-specific utility functions for accessing secrets, files, and other notebook helpers
from notebookutils import mssparkutils

Setup variables
Next, we want to specify which Key Vault we want to use. To do so, we simply call out the name of the Key Vault. Also, in this section, we specify the names of the secrets we want to test. In this example we use three secrets named in order. If you want to test less or more, simply adjust the section by removing or adding secret names.

# Define Key Vault URL (can also be without 'https://' if preferred)
keyvault_address = "https://{insertkeyvaultname}.vault.azure.net/"

# List of secret names to retrieve
secret_names = [
    "secret1",
    "secret2",
    "secret3"
]

Define function
As I want to loop through the previously specified secrets and test their connection, I defined a function in Python to create the loop. This also includes the specification of success message and failure message upon retrieval.

# define function to retrieve information

def retrieve_secret(vault_url, secret_name):
    try:
        value = mssparkutils.credentials.getSecret(vault_url, secret_name)
        print(f"✅ Retrieved secret '{secret_name}': {value}")
    except Exception as e:
        print(f"❌ Failed to retrieve secret '{secret_name}'. Check connection details.")
        print(f"🔍 Error: {str(e)}")

The actual test
Finally, we run the function and loop through each of the secrets to validate the connection. This is the final piece of code.

# Loop through each secret name and attempt retrieval
for name in secret_names:
    retrieve_secret(keyvault_address, name)

Upon success, the last code snippet returns something along these lines:

✅ Retrieved secret 'secret1': [REDACTED]
✅ Retrieved secret 'secret2': [REDACTED]
✅ Retrieved secret 'secret3': [REDACTED]

Snippets of what I used above, but in general the MSSparkUtils package, can be used in your Notebook to actually retrieve the secrets from Key Vault, and use them to setup a secured connection.

The entire Notebook which you can simply import to run your tests can be found on my GitHub.