topic Re: Security Consideration for OAUTH Secrets to use Service Principal to authenticate with Databric in Administration & Architecture

Security Consideration for OAUTH Secrets to use Service Principal to authenticate with Databricks

VJ3 — Thu, 11 Jul 2024 00:06:39 GMT

What are the security consideration we need to keep in mind when we want to us OAUTH Secrets to use a Service Principal to access Azure Databricks when Identity federation is disabled and workspace is not yet on boarded on to Unity Catalog?

Can we consider OAUTH secret similar to Personal Access Token?

What is time limit when OAUTH secrets expires?

How do we get new OAUTH secrets?

Can we use Azure Key Vault to store the OAUTH secrets?

What is the workflow we use in OAUTH for authentication? Do we use Implicit grant workflow in OAUTH?

Do we store secret in .databrickscfg?

Who has access to .databrickscfg?

How do we ensure that OAUTH secret is stored safely and encrypted using AES256 and higher encryption?

https://learn.microsoft.com/en-us/azure/databricks/dev-tools/auth/oauth-m2m

Regards,

Re: Security Consideration for OAUTH Secrets to use Service Principal to authenticate with Databric

VJ3 — Mon, 15 Jul 2024 12:43:50 GMT

Thank you @Retired_mod for the response. I do have follow up questions.

- What kind of encryption is used to store OAUTH secret?

- Is there any way OAUTH can be generated by someone else who is not a manager of that SPN? We need this as a part of segregation of duty

- Can we use OAUTH secret for non M2M authentication?

- What is the purpose of .databrickscfg file? Can we avoid using it as someone can store Secret in plain text?

- Can we create multiple OAUTH Secret for single SPN?

Re: Security Consideration for OAUTH Secrets to use Service Principal to authenticate with Databric

Rob_Lemmens — Tue, 17 Dec 2024 13:28:32 GMT

Any updates on this?

Also struggling with the OAuth security considerations. Specifically with updating the OAuth Secrets.

Currently using a SP to access Databricks workspace for DevOps purposes through the Databricks CLI.

I have the SP set up to renew it's ClientSecret every 2 months and update in Azure KV. I want to do something similar with Databricks OAuth Client Secret. Now I have it manually created and copy pasted to KeyVault. But I want to periodically update the OAuath Secret due to strict security requirements.

I see some methods on how to renew your own Databricks OAuth Token. But I see no information on renewing the Oauth Secret (programatically). Or on how to prevent storing the Secret as plain text in the .databrickscfg file.