Azure Synapse Analytics
An Azure analytics service that brings together data integration, enterprise data warehousing, and big data analytics. Previously known as Azure SQL Data Warehouse.
5,318 questions
Create DB identity in synapse notebook
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 14.000000000000002%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
Lotus88
136
Reputation points
Hi,
I want to create a Synapse notebook where can read data from Azure SQL server DB. So I need to connect the DB via jdbc and enter the user name and password like code below.
Is there a way where I can store this username and password somewhere so that I can reuse it in other notebooks ? Thank you!
# Define JDBC connection for DB1
jdbc_url_db1 = "jdbc:sqlserver://<server1>.database.windows.net:1433;database=<db1>"
connection_properties_db1 = {
"user": "<username1>",
"password": "<password1>",
"driver": "com.microsoft.sqlserver.jdbc.SQLServerDriver"
}
table1_df = spark.read.jdbc(url=jdbc_url_db1, table="schema1.TableA", properties=connection_properties_db1)
Azure Synapse Analytics
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 18%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGG%3C/text%3E%3C/svg%3E)
Ganesh Gurram 6,460 Reputation points Microsoft External Staff2025-04-24T07:07:48.0133333+00:00 You can store and reuse your Azure SQL DB credentials securely across Synapse notebooks without hardcoding them. The recommended approach in Azure Synapse is to use Azure Key Vault in combination with
mssparkutils.credentials.getSecret().Here’s how to do it, step-by-step, following Microsoft best practices.
Store Credentials in Azure Key Vault:
- Go to the Azure Portal.
- Create or open your Azure Key Vault.
- Under Secrets, click
+ Generate/Import. - Secret name:
db-username, Value:<your_db_username> - Secret name:
db-password, Value:<your_db_password>
Make sure your Synapse Workspace Managed Identity has GET permission on secrets.
Link Key Vault to Synapse:
In Synapse Studio, go to the Manage hub (left panel).
Click Linked Services > + New.
Choose Azure Key Vault.
- Name:
keyvault1(you can name it anything) - Select your Key Vault from the list
- Click Create.
Use Secrets in Notebook (PySpark):
# Get credentials from Azure Key Vault username = mssparkutils.credentials.getSecret("keyvault1", "db-username") password = mssparkutils.credentials.getSecret("keyvault1", "db-password") # Define JDBC URL jdbc_url_db1 = "jdbc:sqlserver://<server1>.database.windows.net:1433;database=<db1>" # Define connection properties connection_properties_db1 = { "user": username, "password": password, "driver": "com.microsoft.sqlserver.jdbc.SQLServerDriver" } # Read table using JDBC table1_df = spark.read.jdbc(url=jdbc_url_db1, table="schema1.TableA", properties=connection_properties_db1)Replace
<server1>and<db1>with your actual Azure SQL DB server name and database name.For more details refer:
Secure credentials in Synapse Notebooks
Similar issue: https://learn.microsoft.com/en-us/answers/questions/445496/access-secret-from-vault-using-synapse-pyspark-not
I hope this information helps.
Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.
-
Lotus88 136 Reputation points
2025-04-24T07:42:22.9933333+00:00 Hi @Ganesh Gurram, so do I need to create 2 secrets, on for db login name and one for db password? Thank you!
-
Ganesh Gurram 6,460 Reputation points Microsoft External Staff
2025-04-24T12:00:59.0366667+00:00 You will need to create two separate secrets in Azure Key Vault:
One for your database login name (e.g.,
db-username)One for your database password (e.g.,
db-password)Azure Key Vault stores each secret as a single key-value pair, so separating them ensures secure and flexible access in your Synapse notebooks.
Once created, you can securely retrieve the secrets in your Synapse notebook using:
username = mssparkutils.credentials.getSecretWithLS("keyvault-link", "db-username") password = mssparkutils.credentials.getSecretWithLS("keyvault-link", "db-password")Then use the values to configure your JDBC connection.
This approach keeps your credentials secure and reusable across notebooks. I hope this information helps!
-
Lotus88 136 Reputation points
2025-04-25T01:37:41.8833333+00:00 Hi @Ganesh Gurram, I saw some people using linked service name and use the tokenlibrary to do it. "token=TokenLibrary.getConnectionString("<linked service name>")". Is this another alternative method to create a connection? I tried it but keep getting connection error. Please advise. Thank you!
-
Ganesh Gurram 6,460 Reputation points Microsoft External Staff
2025-04-25T10:44:42.68+00:00 Yes, that is another recommended method to securely connect to your database using a Linked Service in Azure Synapse, especially when working with Azure SQL Database or SQL Server.
Here are a few things to double-check:
Linked Service Type - Make sure your linked service is of type Azure SQL Database or SQL Server and configured correctly.
Go to Synapse Studio → Manage → Linked Services → Click on your linked service
Check:
- The authentication method used (SQL auth or managed identity).
- Test the connection to confirm it works.
Correct Usage in JDBC - You need to pass the connection string token directly into the
.read.jdbc()call like this:jdbc_url = TokenLibrary.getConnectionString("<linkedServiceName>") df = spark.read \ .format("jdbc") \ .option("url", jdbc_url) \ .option("dbtable", "schema.Table") \ .option("driver", "com.microsoft.sqlserver.jdbc.SQLServerDriver") \ .load()If the linked service is set up to use Managed Identity, make sure your Synapse workspace managed identity has Database Reader role on the Azure SQL DB.
I hope this information helps!
-
Ganesh Gurram 6,460 Reputation points Microsoft External Staff
2025-04-28T01:12:43.2966667+00:00 We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
-
Ruach Nephesh 0 Reputation points2025-04-28T01:33:10.42+00:00 The recommended way is:
store your database credentials in Azure Key Vault and access them securely from your Synapse notebook using managed identity.
You can create a linked service to Key Vault and reference secrets in your code without hardcoding them.
(Reference: Secure your credentials with Azure Key Vault in Synapse)
-
Lotus88 136 Reputation points
2025-04-28T02:28:31.29+00:00 @Ganesh Gurram, I created a linked service and I used SQL authentication and connection test passed. However, when I tried to connect using your method via my synapse notebook, error occurs. Please advise. Thank you!
-
Ganesh Gurram 6,460 Reputation points Microsoft External Staff
2025-04-28T05:50:04.31+00:00 The reason you are getting the error is because: Your Linked Service is using SQL Authentication (Username/Password). The code you are using (
TokenLibrary.getConnectionString("<linked service>")) only works if your Linked Service uses Managed Identity Authentication — not SQL authentication. That’s why your connection test passed inside Linked Service but failed inside the notebook.Create a Linked Service with Managed Identity:
Go to Manage > Linked services > New > Azure SQL Database.
- Set - Authentication type = Managed Identity, User assigned identity = (Optional, or leave as system-assigned)
- Test and Save.
- In the Synapse Notebook:
token = TokenLibrary.getConnectionString("your-managed-identity-linked-service-name") df = spark.read \ .format("jdbc") \ .option("url", token) \ .option("dbtable", "wqa.biz_unit") \ .option("driver", "com.microsoft.sqlserver.jdbc.SQLServerDriver") \ .load()Make sure Synapse Managed Identity has access to the database (run SQL commands):
CREATE USER [<your-synapse-workspace-name>] FROM EXTERNAL PROVIDER; ALTER ROLE db_datareader ADD MEMBER [<your-synapse-workspace-name>];For SQL Authentication - Use Key Vault method instead, like this:
username = mssparkutils.credentials.getSecret("keyvault1", "db-username") password = mssparkutils.credentials.getSecret("keyvault1", "db-password") jdbc_url = f"jdbc:sqlserver://<server>.database.windows.net:1433;database=<dbname>;user={username};password={password};encrypt=true;trustServerCertificate=false;hostNameInCertificate=*.database.windows.net;loginTimeout=30;" df = spark.read \Note: TokenLibrary expects Linked Service with Managed Identity.
SQL Authentication does not work with TokenLibrary.
Key Vault is a better choice for SQL Authentication.
Hope this helps!
-
Lotus88 136 Reputation points
2025-04-28T05:58:13.0066667+00:00 Hi @Ganesh Gurram,
You mentioned earlier that "The authentication method used (SQL auth or managed identity)". So now do you mean if I am using linked service in my notebook, the linked service must be only managed identity ?
I am contributor role in my resource group and synapse admin. However, I am unable to create Key vault. What role is required? Thank you!
-
Ganesh Gurram 6,460 Reputation points Microsoft External Staff
2025-04-28T06:46:33.1433333+00:00 @Lotus88 - Could you recheck my previous response. I have made some changes to it.
About using Linked Service inside Synapse Notebook
If you are using
TokenLibrary.getConnectionString("<linked service>"), then yes, the Linked Service must use Managed Identity authentication.If your Linked Service uses SQL authentication (username and password), then
TokenLibrarywill not work — becauseTokenLibraryexpects a token-based connection (Managed Identity).About not being able to create Key Vault
To create an Azure Key Vault, you must have at least Contributor role at the subscription level or specific permissions related to Key Vault.
You mentioned you have Contributor role at resource group level. This is not enough to create a new Key Vault at subscription level. You must either:
- Ask your Azure admin to give you Contributor at Subscription level or
- Ask them to create the Key Vault for you and assign you "Key Vault Secrets Officer" role inside it.
I hope this information helps!
-
Ganesh Gurram 6,460 Reputation points Microsoft External Staff
2025-04-29T01:08:07.4366667+00:00 We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
-
Lotus88 136 Reputation points
2025-04-29T02:27:11.2433333+00:00 It is not working when I used the following code.
Error: IllegalArgumentException: requirement failed: The driver could not open a JDBC connection. Check the URL: [REDACTED]
Service linked already set to managed identity. What went wrong?
token=TokenLibrary.getConnectionString("g_ADH_TST") df = spark.read.format("jdbc") \ .option("url", token) \ .option("dbtable", "wqa.biz_unit") \ .option("driver", "com.microsoft.sqlserver.jdbc.SQLServerDriver") \ .load() -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 57.00000000000001%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDR%3C/text%3E%3C/svg%3E)
Dileep Raj Narayan Thumula 5 Reputation points Microsoft External Staff2025-04-30T09:31:55.5233333+00:00 Hello @Lotus88 , Does it work with Synapse pipelines when you trigger a notebook activity? sometimes MSI fails when called via pipeline trigger context
-
Lotus88 136 Reputation points
2025-04-30T09:49:38.1966667+00:00 @Dileep Raj Narayan Thumula, I am testing it with notebook not via Synapse pipelines.
-
Dileep Raj Narayan Thumula 5 Reputation points Microsoft External Staff
2025-05-01T11:01:20.22+00:00 Hello @Lotus88 I have found some solution storing the credentials in Azure keyvault.
Can you please check if the below helps you
https://stackoverflow.com/questions/72692075/hide-and-retrieve-secret-keys-in-azure-synapse -
Dileep Raj Narayan Thumula 5 Reputation points Microsoft External Staff
2025-05-02T08:48:13.6666667+00:00 @Lotus88 We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Sign in to comment
Sign in to answer