When working with databases, connecting to REST API’s or getting data from storage accounts you need username/password, API Keys or other kind of secrets. Of course you can just put them hardcoded in the Notebook and run the code and forget about them and everything works fine. But what if you connect to the same database using the same username and password from multiple Notebooks and you need to change the password? You would have to change them manually in all these different notebooks.
Another security issue arises when you use Github or Azure Devops to store your Notebook source code then everybody with access to the Git repo can also see all the username and passwords. This is not very secure! A good solution to this problem is to use Azure Key Vault to store all your secrets and manage the permissions.
Azure Key Vault
Azure Key Vault is a service by Microsoft Azure that helps keep important data like passwords and encryption keys safe. It makes managing these keys easier, provides extra security, and works well with other Azure services to ensure only allowed users can access the stored data.
For more information on creating a Azure Key Vault: Quickstart – Create an Azure Key Vault with the Azure portal | Microsoft Learn
Step 1: Create a Secret in Azure Key Vault
Go to your Key Vault in the Azure Portal and click on “Secrets”:
Create a new Secret by clicking “Generate/Import” and give it a name and enter the secret value.
Step 2: Get the Secret using the PyTridentTokenLibrary
This is a proprietary library only available in MS Fabric. Trident was the codename for Fabric during development so the name of the library might change in the future. The Access Token contains your credentials if the Notebook is running in iterative mode or the Notebook Credentials if the run is Scheduled.
from trident_token_library_wrapper import PyTridentTokenLibrary as tl
key_vault_name = "XtremeSecrets"
secret_name = "GoogleDistanceAPIKey"
# get Access Token
access_token = mssparkutils.credentials.getToken("keyvault")
# call Azure Key Vault API to get Secret Value
secret = tl.get_secret_with_token( f"https://{key_vault_name}.vault.azure.net/", secret_name, access_token)Step 3: Use the Secret in your code
Use the secret variable as a normal variable and insert the value in ConnectionStrings, Authentication Headers, Credential Objects or API QueryStrings Parameters:
import os
import requests
# use the Secret value:
queryStringParams = {
"origins": "amsterdam",
"destinations":"london",
"key": apikey
}
headers = {
"Content-Type":"application/json"
}
url = "https://maps.googleapis.com/maps/api/distancematrix/json"
# Make the GET request
response = requests.get(url, params=queryStringParams, headers=headers)
# Make the GET request
json_data =response.json()
display(json_data)
distance = json_data['rows'][0]['elements'][0]['distance']['value']
