Fix: fail fast on missing Event Hub key in Fabric connection setup

[Copilot]

setup_eventhub_connection was silently forwarding empty/invalid credentials to the Fabric API, producing a misleading 400 IncorrectCredentials / AccessUnauthorized instead of a clear root-cause error when listKeys RBAC is absent.

Changes

• import os added to support env var lookup.
• AZURE_EVENT_HUB_SHARED_ACCESS_KEY env override — if set and non-empty, the value is used directly, bypassing the list_keys management API call entirely. Useful in CI where the deployment identity lacks listKeys RBAC.
• Wrapped get_event_hub_namespace_primary_key call in an inner try/except; on failure raises RuntimeError with an actionable message pointing at either the env var or the required RBAC action (Microsoft.EventHub/namespaces/authorizationRules/listKeys/action).
• Empty-key guard — after retrieval, validates the key is non-empty/non-whitespace and raises the same RuntimeError if not, preventing a bad credential from ever reaching the Fabric API.
• Improved error log in get_event_hub_namespace_primary_key to include the namespace name.

# If AZURE_EVENT_HUB_SHARED_ACCESS_KEY is set → used directly, no management API call
# If not set → list_keys called; on failure or empty result:
raise RuntimeError(
    "Event Hub shared access key is missing or empty. "
    "Either set the AZURE_EVENT_HUB_SHARED_ACCESS_KEY environment variable, or grant the deployment "
    "identity permission to list Event Hub namespace keys "
    "(Microsoft.EventHub/namespaces/authorizationRules/listKeys/action)."
)

Original prompt

Create a PR against branch dev in microsoft/real-time-intelligence-operations-solution-accelerator to fix the GitHub Actions failure in run https://github.com/microsoft/real-time-intelligence-operations-solution-accelerator/actions/runs/23593084340/job/69513123026.

Context

The workflow .github/workflows/azure-dev.yml on dev fails during Fabric provisioning when creating an Event Hub connection.
Job logs show the failure on 2026-04-01 with Fabric API POST https://api.fabric.microsoft.com/v1/connections returning HTTP 400 IncorrectCredentials with inner message AccessUnauthorized, and the script failing in operation setup_eventhub_connection.

Relevant code (on dev) is in infra/scripts/fabric/fabric_eventhub.py at commit 829e578f31a505646dfc2bd5d66eb2cdcb692dfd (ref from job logs).
setup_eventhub_connection() currently:

• always calls get_event_hub_namespace_primary_key(...)
• uses key_info['primary_key'] without validation
• calls Fabric create_eventhub_connection/update_eventhub_connection using that key

Desired changes

Make the provisioning more robust and avoid pushing bad/empty credentials to Fabric:

1. Update infra/scripts/fabric/fabric_eventhub.py:

   • Add an optional environment-variable override for the Event Hub shared access key (use name AZURE_EVENT_HUB_SHARED_ACCESS_KEY). If set and non-empty, use it instead of calling Azure management list_keys.
   • If env var is not set, keep existing behavior (retrieve namespace key using get_event_hub_namespace_primary_key).
   • Validate that the final access_key is non-empty/whitespace.
   • If access_key is missing/empty, raise a RuntimeError with a clear diagnostic message that explains either:
     • provide AZURE_EVENT_HUB_SHARED_ACCESS_KEY, or
     • grant the deployment identity permission to list Event Hub keys (mention the action Microsoft.EventHub/namespaces/authorizationRules/listKeys/action).
   • Improve exception handling/logging so that failures retrieving keys are clearly surfaced and do not proceed to the Fabric API call.

2. Do NOT change the workflow in this PR (user asked: "no issue right" and did not request workflow/secret changes). Keep it code-only.

Acceptance criteria

• Code compiles and passes lint/basic syntax.
• setup_eventhub_connection uses env var override when present.
• When key retrieval fails or returns an empty key, the script fails fast with a clear error before calling the Fabric API.
• No secrets are printed to logs.

Notes

• Keep changes minimal and targeted.
• Preserve existing function signatures unless necessary.
• Ensure the added env var logic does not break local usage.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: Please find a solution for this failing job. Use the logs, job definition, and any referenced files where the failure occurred. Keep your response focused on the solution and include code suggestions when appropriate.

Assistant: The job is failing in the azd up postprovision hook when the Fabric provisioning Python script tries to create a Microsoft Fabric connection to Event Hub:

• Failing operation: setup_eventhub_connection
• Fabric REST call: POST https://api.fabric.microsoft.com/v1/connections
• Error: 400 IncorrectCredentials with inner message AccessUnauthorized
• Final failure: postprovision hook failed with exit code: 1 (Python script exits 1)

This is not a checkout/runner issue; it’s an authentication/authorization problem for the credentials being used to establish the Event Hub connection inside Fabric.

What’s happening

Your workflow (.github/workflows/azure-dev.yml at ref 829e578f31a505646dfc2bd5d66eb2cdcb692dfd) successfully:

• logs into Azure using OIDC (azure/login@v2)
• logs into azd using federated GitHub credentials
• provisions infra with azd up

Then azure.yaml runs this hook:

hooks:
  postprovision:
    posix:
      shell: pwsh
      run: ./infra/scripts/utils/Run-PythonScript.ps1 -ScriptPath "infra/scripts/fabric/deploy_fabric_rti.py" -SkipPythonVirtualEnvironment
      continueOnError: false

Inside deploy_fabric_rti.py, the step that creates the Fabric Event Hub connection is providing credentials that Fabric rejects (IncorrectCredentials / AccessUnauthorized).

In practice, this usually means one (or more) of the following:

1. The script is using the wrong Event Hub auth mode (e.g., trying to use a key/connection string that isn’t valid, or using AAD when Fabric expects a key-based secret for that connector type).
2. The workflow identity (service principal used via OIDC) does not have permission to fetch the Event Hub connection string/keys, so the script ends up sending empty/invalid credentials to Fabric.
3. The Event Hub/namespace being referenced is not the one that was created (wrong name from env vars), causing key lookup to fail and resulting in bad cred...

This pull request was created from Copilot chat.