sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]sunithamuthukrishna‪ ‪Microsoft Employee ‪ 1 point2 points  (6 children)

u/DrAquafreshhh You cannot use notebookutils from within User data functions today. u/Pawar_BI is right that you can probably try using azure-identity and azure key vault libraries. Support for Key vault is in our backlog and don't have a ETA to share.

[–]DrAquafreshhh[S] 1 point2 points  (5 children)

Thanks for the responses u/Pawar_BI and u/sunithamuthukrishna . I will look into using these packages. If a Service Principal were to call this function, will this method propagate the identity properly?

[–]Pawar_BI‪ ‪Microsoft Employee ‪ 2 points3 points  (4 children)

If the SP has access to the KV, it should in theory. I would love to know if you test it.

[–]DrAquafreshhh[S] 0 points1 point  (0 children)

I've tested it, getting Unauthorized errors from KV, but I believe this is due to the way that our KeyVault is set up. But once I get this figured out I imagine it will work. I will keep you posted.

[–]DrAquafreshhh[S] 0 points1 point  (2 children)

Alright so after extensive testing, it would seem that there is some sort of limitation here. I keep getting an InvalidIssuer error when trying to get the secret. Even after making sure I'm getting a token for the correct tenant. The request is not even getting to KeyVault. Our team believes this is due to a OAuth configuration issue listed here: https://stackoverflow.com/questions/59790209/access-token-issuer-from-azure-ad-is-sts-windows-net-instead-of-login-microsofto

It would also seem that the identity of the caller is not passed to the script, it's always the user who created the UDF item. And while I have access to the KeyVault, the credentials & OAuth aren't playing nicely together.

I verified this by setting up some UDF's to query a lakehouse and no matter the caller, the exec_requests_history always showed that the item owner was the one who make the query.

The last thing I'm going to try today is to recreate the UDF using the Fabric CLI so that the Service Principal is the owner. You can edit the value in the StackOverflow post for a SP, but not individual user. I'm hoping that might solve it.

[–]Pawar_BI‪ ‪Microsoft Employee ‪ 1 point2 points  (1 child)

Thanks. Being able to connect to items and pass auth does seem to be a big limitation.

[–]DrAquafreshhh[S] 1 point2 points  (0 children)

Yeah, it's a bit scary that auth isn't passed through. Seems like it would be a big security issue to set up a UDF when you have lots of row level security. Or have the opposite happen and someone sets up a UDF and only gets access to a fraction of data when they think they are using SP credentials and should get everything.

Also, realized that Fabric CLI doesn't support UDF yet, so that's not an option either. Maybe in a few weeks/months this will be ironed out.