Cannot access secrets from notebook call by pipeline

Question

Cannot access secrets from notebook call by pipeline

Lotus88 176

Hi,

I have grant secrets permission to my Synapse workspace and my microsoft entra ID.

I have notebooks that read the secrets created by me. I can run the notebook to access my secrets and it is working. However when I tried to run the notebook from pipeline, I keep getting errors and below is my notebook code. What could be the problem ?

from notebookutils import mssparkutils
tst_user_name = mssparkutils.credentials.getSecret('kv-002', 'secret-user')

An error occurred while calling z:mssparkutils.credentials.getSecret.\n: com.microsoft.azure.synapse.tokenlibrary.TokenServiceClientResponseStatusException: Token Service returned 'Client Error' (400), with message: {\"result\":\"DependencyError\",\"errorId\":\"BadRequest\",\"errorMessage\":\"[Code=CannotAcquireMSIForVault, Target=Vault, Message=Cannot acquire MSI token for a Vault audience.

User's image

Venkat Reddy Navari 3,630 Reputation points Microsoft External Staff Moderator

2025-07-04T14:14:25.0333333+00:00

Hi Lotus88 We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

1 answer

Your answer

Venkat Reddy Navari 3,630 Reputation points Microsoft External Staff Moderator

2025-07-04T14:14:25.0333333+00:00

Hi Lotus88 We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Answer 1

Venkat Reddy Navari 3,630 Microsoft External Staff Moderator

Hi Lotus88 This kind of issue usually shows up because notebooks run differently depending on how they’re triggered.

When you run it manually, it uses your own Microsoft Entra ID (formerly Azure AD), which has access to the Key Vault.

But when the notebook runs from a pipeline, it uses the Synapse workspace's managed identity, and that identity must have the right permissions and be able to acquire a token for the Key Vault. That’s likely where it’s failing.

The error message about not being able to acquire MSI for a Vault usually points to one of these common causes:

Things to Check

Managed Identity: Ensure the system-assigned managed identity is turned on for your Synapse workspace (Azure Portal → Synapse → Identity → System-assigned = On).

Vault Name in Code: Double-check the Key Vault name you're passing in the code. It should be the actual resource name not an alias or display name:


mssparkutils.credentials.getSecret('kv-002', 'secret-user')

Key Vault Networking: If you're using firewall rules or private endpoints, your Synapse workspace might not be able to reach the vault.

As a quick test, set the Key Vault to "Allow access from all networks" to rule out network restrictions.

I hope this information helps. Please do let us know if you have any further queries.

Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.

Lotus88 176 Reputation points

2025-07-02T01:35:50.96+00:00

Hi @Venkat Reddy Navari ,

The problem is I cannot find a way to turn on "System-assigned". See my Synapse workspace screenshot below. I have system admin role. Is there any role required for me to see this option ?

This is my key vault setting.
Venkat Reddy Navari 3,630 Reputation points Microsoft External Staff Moderator

2025-07-02T09:19:11.95+00:00
Hi Lotus88 Thanks for the screenshots they clarify a lot.

From your Synapse workspace identity blade, the System-assigned identity section is missing, which explains why your pipeline-triggered notebooks can’t access Key Vault secrets. This usually means one of the following:

Why “System-assigned” is Missing

Permissions: You need Owner or Contributor role on the Synapse workspace resource itself, not just the resource group or subscription. Check via: → Synapse workspace → Access control (IAM) → Your role.

Azure Policy or Blueprint Restrictions: Some organizations disable system-assigned identities by default through policies or deployment templates. Reach out to your admin or cloud governance team to confirm.

Deployment via ARM/Bicep: If the workspace was created using Infrastructure-as-Code, the system-assigned identity might have been skipped during provisioning.

Temporary Workaround

Since your Key Vault allows public access (per your second screenshot), you can:

Create a User-assigned Managed Identity

Assign it to the Synapse workspace

Give that identity “Get” secret permissions on your Key Vault

This allows your pipeline notebooks to access secrets even without system-assigned identity.

PowerShell Option to Enable It

If you have CLI access, you can try enabling system-assigned identity via:

az synapse workspace update ` --name <your-synapse-workspace-name> ` --resource-group <your-resource-group> ` --set identity.type="SystemAssigned"

I hope this information helps. Please do let us know if you have any further queries.

Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.
Lotus88 176 Reputation points

2025-07-02T10:20:07.11+00:00

Hi @Venkat Reddy Navari

I have contributor role in synapse but I still cannot enable system assigned.

I also seems don't have the rights to create user assigned identity. What role is required?
Venkat Reddy Navari 3,630 Reputation points Microsoft External Staff Moderator

2025-07-03T14:43:12.9066667+00:00

Hi Lotus88 Thanks for the screenshot, it confirms your current Contributor role on the Synapse workspace.

However, Contributor doesn't grant permission to enable system-assigned identity or create user-assigned identities. To perform these actions, you’ll need:

The Owner role on the Synapse workspace (or a custom role with Microsoft.ManagedIdentity/* and Microsoft.Synapse/workspaces/write)

Next steps: Ask your admin to temporarily grant you the Owner role or enable the identity on your behalf.

Once enabled, your pipeline-triggered notebooks should be able to access Key Vault secrets without errors.

I hope this information helps. Please do let us know if you have any further queries.

Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.

Share via

Cannot access secrets from notebook call by pipeline

1 answer

Your answer