Need to clarify how to access Key Vault secrets in Synapse.

[rollingage]

https://docs.microsoft.com/en-us/azure/synapse-analytics/spark/microsoft-spark-utilities?pivots=programming-language-python#configure-access-to-azure-key-vault

"Synapse notebooks use Azure active directory(Azure AD) pass-through to access Azure Key Vault. Synapse pipelines use workspace identity(MSI) to access Azure Key Vault. To make sure your code work both in notebook and in Synapse pipeline, we recommend granting secret access permission for both your Azure AD account and workspace identity."

This is not 100% correct. If we setup Key Vault linked service in Synapse. We can get secret with this function, mssparkutils.credentials.getSecretWithLS() and it gets secret using workspace identity, and actually this approach is recommended according to this document, long running queries might fail if the AAD token expires in the middle of the query execution.

"AAD authentication token might be cached by the client applications. For example PowerBI caches AAD token and reuses the same token for an hour. The long running queries might fail if the token expires in the middle of the query execution. If you are experiencing query failures caused by the AAD access token that expires in the middle of the query, consider switching to Service Principal, Managed identity or Shared access signature."

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: c1f7baad-e28d-8e25-2852-b58499cdca8c
• Version Independent ID: d88f15f9-7218-3ce2-30bb-388fc63f6ddc
• Content: Introduction to Microsoft Spark utilities - Azure Synapse Analytics
• Content Source: articles/synapse-analytics/spark/microsoft-spark-utilities.md
• Service: synapse-analytics
• Sub-service: spark
• GitHub Login: @ruixinxu
• Microsoft Alias: ruxu

[ShaikMaheer-MSFT]

@rollingage Thanks for sharing feedback. We are actively validating it. We will share updates soon.

[ShaikMaheer-MSFT]

@ruixinxu Could you please validate customer feedback and confirm if its correct? If yes, Kindly consider updating doc accordingly. Thank you.

[PorterJosh]

It has been a year. Any guidance here?

[bandersmsft]

Thanks for your dedication to our documentation. Unfortunately, at this time we have been unable to review your issue in a timely manner and we sincerely apologize for the delayed response. We are closing this issue for now, but if you feel that it's still a concern, please respond and let us know. If you determine another possible update to our documentation, please don't hesitate to reach out again. #please-close