Mssparkutils.credentials.getSecretWithLS to get Certificate and create CertificateCredential in Synapse

BEPV 0

I need to create a CertificateCredential from azure.identity, I have a PKCS12 certificate saved in a Key Vault and I am reading it using mssparkutils with LinkedService, official documentation mentioned you can create a CertificateCredential with the private key byte data as follows:

 # Certificate/private key byte data can also be passed directly

   credential = CertificateCredential(

       tenant_id="<tenant_id>",

       client_id="<client_id>",

       certificate_data=b"<cert data>",

   )

I tried to use the certificate returned from mssparkutils but the client creation fails with encode errors, I also tried to decode the certificate using base64 but it fails as is not able to get the private key, the certificate is valid as is has been used to get token successfully, is failing only when trying to use CertificateCredential.

import base64

import binascii

from cryptography.hazmat.primitives.serialization import pkcs12

from cryptography.hazmat.primitives import hashes, serialization

certificate_data = mssparkutils.credentials.getSecretWithLS(linked_service_name, cert_name)

cert_bytes = base64.b64decode(certificate_data)                 

private_key, certificate, additional_certificates = pkcs12.load_key_and_certificates(cert_bytes, None)

credential = CertificateCredential(tenant_id = tenant_id, client_id = service_principal_id, certificate_data = cert_bytes)

I am running this code in Synapse Workspace, could you guide me on how to properly encode the certificate to create CertificateCredential. Is required to use CertificateCredential

phemanth 8,080 Reputation points Microsoft Vendor

2024-06-10T09:49:25.0733333+00:00
@BEPV

Thanks for the question and using MS Q&A platform.

The issue you're encountering with base64.b64decode likely stems from the fact that PKCS12 certificates contain not just the certificate itself, but also the private key and other information. Base64 decoding is meant for text data, and the PKCS12 format isn't simply encoded text.

Here's how you can correctly handle the PKCS12 certificate and create a CertificateCredential in Synapse Workspace:

import base64 from cryptography.hazmat.primitives.serialization import pkcs12 from cryptography.hazmat.primitives import hashes, serialization def create_certificate_credential(linked_service_name, cert_name, tenant_id, client_id): """ Reads a PKCS12 certificate from Key Vault using mssparkutils and creates a CertificateCredential. Args: linked_service_name (str): Name of the Linked Service that accesses Key Vault. cert_name (str): Name of the secret in Key Vault containing the PKCS12 certificate. tenant_id (str): Azure tenant ID. client_id (str): Client ID (application ID) of your service principal. Returns: azure.identity.CertificateCredential: The created CertificateCredential object. """ # Retrieve the PKCS12 data from Key Vault using mssparkutils certificate_data = mssparkutils.credentials.getSecretWithLS(linked_service_name, cert_name) # Load the PKCS12 data using cryptography library private_key, certificate, additional_certificates = pkcs12.load_key_and_certificates(certificate_data, None) # You don't need to base64 decode the PKCS12 data return CertificateCredential(tenant_id=tenant_id, client_id=client_id, certificate_data=certificate_data) # Example usage credential = create_certificate_credential(linked_service_name="myKeyVaultLS", cert_name="myCert", tenant_id="your-tenant-id", client_id="your-client-id")

This code snippet addresses the following points:

Import Libraries: Imports necessary libraries for PKCS12 handling (cryptography).

Function Definition: Defines a function create_certificate_credential that takes relevant parameters.

Retrieve PKCS12 Data: Retrieves the PKCS12 data using mssparkutils.credentials.getSecretWithLS.

Load PKCS12 Data: Uses cryptography.hazmat.primitives.serialization.pkcs12.load_key_and_certificates to extract the private key and certificate from the PKCS12 data.

Create CertificateCredential: Creates the CertificateCredential object directly using the retrieved certificate_data (no base64 decoding needed).

Example Usage: Demonstrates how to call the function with your specific details.

By using the cryptography library and avoiding base64 decoding of the entire PKCS12 data, you can correctly create a CertificateCredential object for use in Synapse Workspace.

Hope this helps. Do let us know if you any further queries.

BEPV 0

I also tried that approach but when I pass the certificate from the KeyVault directly to the CertificateCredential I am getting the following error message:

    157         password = password.encode("utf-8")

    158 password = cast("Optional[bytes]", password)

--> 160 if b"-----BEGIN" in certificate_data:

    161     cert = load_pem_certificate(certificate_data, password)

    162 else:

TypeError: 'in <string>' requires string as left operand, not bytes

phemanth 8,080 Reputation points Microsoft Vendor

2024-06-11T07:35:50.4966667+00:00
@BEPV

The error message "TypeError: 'in <string>' requires string as left operand, not bytes" indicates that the in operator is being used with a byte string (certificate_data) instead of a regular string. This is happening in the if b"-----BEGIN" line of your code.

Here's how to fix the issue based on the previous response and the new error message:

Solution:

Decode the certificate data before checking for the PEM header:
if "-----BEGIN" in certificate_data.decode("utf-8"): # ... rest of your code for loading PEM certificate else: # Handle non-PEM certificate format (if applicable)

This decodes the certificate_data (which is assumed to be bytes) into a string using UTF-8 encoding. Then, the in operator can be used correctly to check for the presence of the PEM header within the decoded string.

Explanation:

The in operator is designed to work with strings, not byte strings. Decoding the byte string allows for string comparison using in.

Decoding with UTF-8 encoding assumes the certificate data is encoded in that format. If you know the specific encoding used, adjust accordingly.

BEPV 0

That solution is still not working , the certificate is not a string and does not have attribute to decode, the certificate is in PKCS #12 format, this is not a PEM file, not sure if that is causing the error.

Here is my code with your last suggestion:

certificate_data = mssparkutils.credentials.getSecretWithLS(linked_service_name, 'cert')
certificate_decode = certificate_data.decode("utf-8")
credential =  CertificateCredential(tenant_id=tenant_id, client_id=service_principal_id, certificate_data=certificate_decode)

Here is the output error message:

AttributeError                            Traceback (most recent call last)
Cell In [27], line 15
14 certificate_data = mssparkutils.credentials.getSecretWithLS(linked_service_name, 'cert')
---> 15 certificate_decode = certificate_data.decode("utf-8")
17 credential =  CertificateCredential(tenant_id=tenant_id, client_id=service_principal_id, certificate_data=certificate_decode)

AttributeError: 'str' object has no attribute 'decode'

phemanth 8,080 Reputation points Microsoft Vendor

2024-06-12T08:31:01.6133333+00:00
@BEPV The error message 'str' object has no attribute 'decode' indicates that certificate_data is already a string, so you don’t need to decode it.

However, the CertificateCredential expects the certificate_data argument to be bytes, not a string. If your certificate_data is a base64-encoded string, you should decode it back into bytes before passing it to CertificateCredential. Here’s how you can do it:

import base64 certificate_data = mssparkutils.credentials.getSecretWithLS(linked_service_name, 'cert') certificate_bytes = base64.b64decode(certificate_data) credential = CertificateCredential(tenant_id=tenant_id, client_id=service_principal_id, certificate_data=certificate_bytes)

This code first retrieves the certificate data from your linked service, then decodes the base64 string into bytes using base64.b64decode(), and finally creates the CertificateCredential with the byte data
phemanth 8,080 Reputation points Microsoft Vendor

2024-06-14T08:19:48.7933333+00:00

@BEPV We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
BEPV 0 Reputation points

2024-06-17T18:17:35.0133333+00:00

No resolution, you last suggestion is what I ask on my original question, but I was getting an error that the certificate was not valid, even that the same certificate is used for other scenarios
phemanth 8,080 Reputation points Microsoft Vendor

2024-06-18T07:16:23.5833333+00:00
@BEPV . It seems like there might be something specific about your scenario that’s causing the problem. Here are a few additional things you could check:

Certificate Format: Ensure that the certificate you’re retrieving from Key Vault is indeed in PKCS12 format. If it’s in a different format (like PEM), you might need to convert it first.

Certificate Encoding: Check if the certificate is base64-encoded. If it’s not, you’ll need to adjust your code accordingly.

Certificate Validity: Verify that the certificate is still valid. Certificates have a validity period, and if yours has expired, it could cause issues.

Private Key Availability: Make sure that the private key is included in the certificate you’re retrieving from Key Vault. The CertificateCredential requires both the certificate and the private key.

Hope this helps. Do let us know if you any further queries.
Naveen Kumar Srinivasan 0 Reputation points Microsoft Employee

2024-06-20T17:17:09.82+00:00
I am also trying something same as this in synapse notebook but facing different issue. I am able to retrieve the certificate(.pem format) from key vault but while trying below code, it is expecting certificate_path.

CertificateCredential from azure.identity import CertificateCredential credential = CertificateCredential( tenant_id=tenant, client_id=sp_id, certificate_data = cert )

I am facing below error:
TypeError: CertificateCredentialBase.init() missing 1 required positional argument: 'certificate_path'
phemanth 8,080 Reputation points Microsoft Vendor

2024-06-24T13:44:04.5766667+00:00
Naveen Kumar Srinivasan

The error message "TypeError: CertificateCredentialBase.init() missing 1 required positional argument: 'certificate_path'" indicates that the CertificateCredential constructor expects a file path for the certificate, but you're providing the certificate data itself.

Here's how to address this in your Synapse notebook code:

1. Handle PEM certificate data:

Since you have the certificate data in PEM format (cert), you don't need a separate file path. The CertificateCredential constructor can handle the certificate data directly.

Corrected code:

from azure.identity import CertificateCredential credential = CertificateCredential( tenant_id=tenant, client_id=sp_id, certificate_data=cert.encode('utf-8') # Ensure certificate data is bytes )

Explanation:

We import CertificateCredential from azure.identity.

The constructor takes three arguments:

tenant_id: Your Azure tenant ID.

client_id: The client ID (application ID) of your service principal.

certificate_data: The PEM certificate data encoded as bytes. This ensures compatibility with the CertificateCredential constructo

Share via

Mssparkutils.credentials.getSecretWithLS to get Certificate and create CertificateCredential in Synapse