semantic-link-labs icon indicating copy to clipboard operation
semantic-link-labs copied to clipboard

Published 20 hours ago verified publisher icon microsoft

with labs.service_principal_authentication returns error, switching client id with secret name

Open mlongoria opened this issue 6 months ago • 3 comments

Describe the bug Trying to use service principal authentication, used the following code:

key_vault_uri='https://xxxxxxxx.vault.azure.net/'
key_vault_tenant_id = 'yyy'
key_vault_client_id = 'xxx'
key_vault_client_secret = 'ClientSecret'

with labs.service_principal_authentication(
    key_vault_uri=key_vault_uri, 
    key_vault_client_secret=key_vault_client_secret,
    key_vault_tenant_id=key_vault_tenant_id,
    key_vault_client_id=key_vault_client_id
   ):
    test = graph.list_group_members(group='Group1')

This returns error: java.io.IOException: 404 {"error":{"code":"SecretNotFound","message":"A secret with (name/id) [key_vault_tenant_id value] was not found in this key vault.

To Reproduce Steps to reproduce the behavior:

  1. Create service principal. Enable use in Fabric tenant settings
  2. Provide values for key_vault_uri, key_vault_tenant_id, key_vault_client_id, key_vault_client_secret. Replace Group1 with a group in your tenant.
  3. Run the code
  4. See the error

Expected behavior Function should return members of group, passing correct values to appropriate parameters.

Desktop (please complete the following information):

  • OS: Windows
  • Browser: Chrome
  • Version Chrome 136.0.7103.93 (Official Build) (64-bit)

Additional context It seems to be passing the value for key_vault_tenant_id to the parameter for key_vault_client_secret. I have double checked that I am using the correct variables and values. Even if I remove the variables and hard code the values, I still get the same error.

mlongoria avatar May 14 '25 03:05 mlongoria

Are you using the secret name or value? You need to use the secret name. The function gets the secret value based on the secret name.

m-kovalsky avatar May 14 '25 06:05 m-kovalsky

Yes, I am using the secret name. I understand what the function inputs and outputs are. The error is telling me there is no key vault secret with the name equal to the value of the variable key_vault_tenant_id.

mlongoria avatar May 14 '25 08:05 mlongoria

Is the secret expired? Check if this works:

import notebookutils

tenant_id = notebookutils.credentials.getSecret(
    key_vault_uri, key_vault_tenant_id
)
client_id = notebookutils.credentials.getSecret(
    key_vault_uri, key_vault_client_id
)
client_secret = notebookutils.credentials.getSecret(
    key_vault_uri, key_vault_client_secret
)

m-kovalsky avatar May 14 '25 10:05 m-kovalsky

Hello, I am running into a similar issue. See first screenshot below. We use the same Service Principal account that we use for Power BI Embedded.

Per documentation, the parameter description is a little confusing,

key_vault_uri ([str](https://docs.python.org/3/library/stdtypes.html#str)) – Azure Key Vault URI.

key_vault_tenant_id ([str](https://docs.python.org/3/library/stdtypes.html#str)) – Name of the secret in the Key Vault with the Fabric Tenant ID. < - - is this the same as Directory (tenant) ID that is found in the App registrations portal?? see second screenshot below

key_vault_client_id ([str](https://docs.python.org/3/library/stdtypes.html#str)) – Name of the secret in the Key Vault with the Service Principal Client ID. < - - is this the same as Application (client) ID that is found in the App registrations portal?? see second screenshot below

key_vault_client_secret ([str](https://docs.python.org/3/library/stdtypes.html#str)) – Name of the secret in the Key Vault with the Service Principal Client Secret.

Image

Image

triCNguyen5 avatar Jun 04 '25 21:06 triCNguyen5

It’s the name of the secret in keyvault. It’s not the value of the secret (or the actual client ID). This function gets the secret value from a given secret name.

m-kovalsky avatar Jun 05 '25 13:06 m-kovalsky

Ok, when I run the below, it works, there are no errors, and the return value is [REDACTED]:

client_secret = notebookutils.credentials.getSecret(
    key_vault_uri, 
    key_vault_client_secret
)

When I run either the below, I get the 404 not found error that I reported in the previous comment.

tenant_id = notebookutils.credentials.getSecret(
    key_vault_uri,
    key_vault_tenant_id
)

client_id = notebookutils.credentials.getSecret(
    key_vault_uri,
    key_vault_client_id
)

So, the name of key_vault_client_secret is correct, something is funky with either the key_vault_tenant_id or key_vault_client_id

triCNguyen5 avatar Jun 05 '25 17:06 triCNguyen5

Each of these is the same logic. If it doesn’t work it means you either don’t have the secrets in key vault or you aren’t referring to the correct secret name in your key vault.

m-kovalsky avatar Jun 05 '25 17:06 m-kovalsky

Sorry, it took me a bit to get back to this. I went back and redid this and still can't get this to work. I named my secrets exactly the same as in your demo, but I'm getting secret not found, similar to triCNguyen5.

Image

I copied and pasted my code from the demo notebook. I copied and pasted the keyvault uri to make sure it was typed correctly.

Image

ClientAuthenticationError: Authentication failed: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '[REDACTED]'.

I made sure the secret is not expired (it's using the one with description "two".

Image

Can you tell me what I'm doing wrong?

mlongoria avatar Jun 16 '25 01:06 mlongoria

What are the permissions on the key vault? Does your user and SPN have access? I have had different folks test this and the function works fine so it seems it is a permissions issue for you.

m-kovalsky avatar Jun 17 '25 13:06 m-kovalsky

Sorry, it took me a bit to get back to this. I went back and redid this and still can't get this to work. I named my secrets exactly the same as in your demo, but I'm getting secret not found, similar to triCNguyen5.

Image

I copied and pasted my code from the demo notebook. I copied and pasted the keyvault uri to make sure it was typed correctly.

Image

ClientAuthenticationError: Authentication failed: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '[REDACTED]'.

I made sure the secret is not expired (it's using the one with description "two".

Image

Can you tell me what I'm doing wrong?

Looking at your error you are using the wrong value from the client/app registration.

The error states: ClientAuthenticationError: Authentication failed: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '[REDACTED]'.

If you update your secret in Key Vault with the Client Secret Value from your app registration then you should be fine.

MitchSS avatar Jun 17 '25 14:06 MitchSS

Has this been resolved or is anyone still getting an error?

m-kovalsky avatar Aug 13 '25 17:08 m-kovalsky

I'm good now. I started over and tried again today and was able to return a list of capacities with the service principal.

mlongoria avatar Aug 13 '25 23:08 mlongoria