Azure Synapse Studio: What are synapse studio credentials and how are they used?

Question

Azure Synapse Studio: What are synapse studio credentials and how are they used?

GeorgeD37 31

We have a requirement to grant access to a user on one specific pipeline and 2 linked services within synapse studio. The new preview scoped roles seem to allow for this. The problem is that this user won't be able to execute the pipeline unless we define credentials and grant him access to these credentials. We can't seem to find any documentation explaining "credentials" within synapse studio and their purpose. After doing a lot of research, it turns out that credentials are used to secure linked services but we never managed to figure out how exactly does this happen. Anyone help in explaining credentials and how they are used to secure linked services is much appreciated. A screenshot of the "credentials" we are referring to is provided below:

Accepted answer

1 additional answer

Your answer

Answer 1

PRADEEPCHEEKATLA 90,571

Hello @GeorgeD37 ,

The main purpose of credentials is to simplify auth. settings in a linked service. We are soon going to add support for User Assigned Managed Identity in Credentials.
In future, we do plan to extend their use to solve identity confusion, by integrating them in Pipeline activities, and RunAs/BrowseAs in Notebooks/SparkJobs/Pipelines/Dataflows etc.

Synapse assumes that pipelines run as workspace system msi, and that workspace system msi has access to all linked services / credentials.
So even when a user configures a pipeline, access to credentials is assumed to happen as msi at runtime, hence the requirement is for the user to be able to impersonate the msi.
There are some "run as" feature developments happening for pipelines, where user would have choice on which identity the pipeline should run as, and that identity wouldn't have super powers like system msi.

Hope this helps.

PRADEEPCHEEKATLA 90,571 Reputation points

2021-04-09T09:28:39.853+00:00

Hello @GeorgeD37 ,

Just checking in to see if the above answer helped. If this answers your query, do click Accept Answer and Up-Vote for the same. And, if you have any further query do let us know.
Alex Tripp 1 Reputation point

2023-04-04T05:06:19.3733333+00:00

Also have this question. We have a shared Synapse workspace and would like to grant ability to execute certain pipelines and/or preview certain datasets.
Seems like permissions for all the individual workspace items still requires "Synapse User and Synapse Credential User on the WorkspaceSystemIdentity". When will the "Run As" features be announced and will they go under a different name? @GeorgeD37 did you end up with some sort of resolution?

Answer 2

PRADEEPCHEEKATLA 90,571

Hello @GeorgeD37 ,

Welcome to the Microsoft Q&A platform.

By default Synapse uses Azure Active Directory (AAD) passthrough by default for authentication between resources. If you need to connect to a resource using other credentials, use the TokenLibrary directly. The TokenLibrary simplifies the process of retrieving SAS tokens, AAD tokens, connection strings, and secrets stored in a linked service or from an Azure Key Vault.

Credentials - helps you to hold authentication details.

Note: . Credentials more like a “shortcut” for TokenLibrary

For more details, refer Secure credentials with linked services using the TokenLibrary.

Hope this helps. Do let us know if you any further queries.

------------

Please don’t forget to Accept Answer and Up-Vote wherever the information provided helps you, this can be beneficial to other community members.

GeorgeD37 31 Reputation points

2021-04-06T09:22:57.91+00:00

Thanks @PRADEEPCHEEKATLA

The impression we got going through Microsoft's documentation was that credentials are used to control user access on linked services. From your reply, I believe the only purpose it to simplify handling authentication details. Please confirm this and if so, is it possible to control user access at the level of the linked service? Workspace Item permissions allow for this but still, after granting users access to certain Linked Services, they are unable to execute pipeline with a message that they should have access to the "WorkspaceSystemIdentity". Granting users access to the WorkspaceSystemIdentity credentials is automatically giving them access to all linked services and not just specific ones.
Rock 41 Reputation points

2021-10-07T15:09:40.983+00:00

Hi @PRADEEPCHEEKATLA

I want to create a server-level or database scoped credential with this credential. Below is the example from MS

/* Setup - create server-level or database scoped credential with Azure Cosmos DB account key:
CREATE CREDENTIAL MyCosmosDbAccountCredential
WITH IDENTITY = 'SHARED ACCESS SIGNATURE', SECRET = 's5zarR2pT0JWH9k8roipnWxUYBegOuFGjJpSjGlR36y86cW0GQ6RaaG8kGjsRAQoWMw1QKTkkX8HQtFpJjC8Hg==';
*/
SELECT TOP 10 *
FROM OPENROWSET(
PROVIDER = 'CosmosDB',
CONNECTION = 'Account=synapselink-cosmosdb-sqlsample;Database=covid',
OBJECT = 'Ecdc',
SERVER_CREDENTIAL = 'MyCosmosDbAccountCredential'
) with ( date_rep varchar(20), cases bigint, geo_id varchar(6) ) as rows

Instead of using Cosmos db key can we create a credential by using a key vault use it here to query cosmos db?

or create a server-level or database scoped credential by using key Vault in ablove example?
PRADEEPCHEEKATLA 90,571 Reputation points

2021-10-08T06:38:14.493+00:00

Hello @Rock ,

As you have opened a new issue, I would suggest you to continue the discussed on the new thread: https://learn.microsoft.com/en-us/answers/questions/581733/synapse-server-credential-using-key-vault.html?childToView=582697#answer-582697

Share via

Azure Synapse Studio: What are synapse studio credentials and how are they used?

1 additional answer

Your answer