<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic AWS Secrets Manager access in Administration &amp; Architecture</title>
    <link>https://community.databricks.com/t5/administration-architecture/aws-secrets-manager-access/m-p/50197#M568</link>
    <description>&lt;P&gt;Hi&lt;/P&gt;&lt;P&gt;We're in the process of moving over from Databricks in Azure to AWS.&lt;/P&gt;&lt;P&gt;I am trying to establish a method of accessing secrets from AWS Secrets Manager (we were using Azure KeyVault) and understand this can be done with boto as suggested from AWS.&lt;/P&gt;&lt;P&gt;We have created all of the relevant IAM roles, instance profiles etc.&amp;nbsp; Accessing S3 with this method is working OK.&lt;/P&gt;&lt;P&gt;However, whenever I try to interact with Secrets Manager I keep getting the "&lt;SPAN class=""&gt;NoCredentialsError&lt;/SPAN&gt;&lt;SPAN&gt;: Unable to locate credentials" error.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;The role assigned to the EC2 after creation has the relevant permission to read/write from Secrets Manager.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;I'm at a dead end and appreciate any help.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Many Thanks&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Example code:&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;DIV&gt;&lt;DIV&gt;&lt;SPAN&gt;import&lt;/SPAN&gt;&lt;SPAN&gt; botocore &lt;/SPAN&gt;&lt;/DIV&gt;&lt;DIV&gt;&lt;SPAN&gt;import&lt;/SPAN&gt;&lt;SPAN&gt; botocore.session &lt;/SPAN&gt;&lt;/DIV&gt;&lt;DIV&gt;&lt;SPAN&gt;from&lt;/SPAN&gt;&lt;SPAN&gt; aws_secretsmanager_caching &lt;/SPAN&gt;&lt;SPAN&gt;import&lt;/SPAN&gt;&lt;SPAN&gt; SecretCache, SecretCacheConfig &lt;/SPAN&gt;&lt;/DIV&gt;&lt;BR /&gt;&lt;DIV&gt;&lt;SPAN&gt;client = botocore.session.get_session().create_client(&lt;/SPAN&gt;&lt;SPAN&gt;'secretsmanager'&lt;/SPAN&gt;&lt;SPAN&gt;, region_name=&lt;/SPAN&gt;&lt;SPAN&gt;'aws-region'&lt;/SPAN&gt;&lt;SPAN&gt;)&lt;/SPAN&gt;&lt;/DIV&gt;&lt;DIV&gt;&lt;SPAN&gt;cache_config = SecretCacheConfig()&lt;/SPAN&gt;&lt;/DIV&gt;&lt;DIV&gt;&lt;SPAN&gt;cache = SecretCache( config = cache_config, client = client)&lt;/SPAN&gt;&lt;/DIV&gt;&lt;BR /&gt;&lt;DIV&gt;&lt;SPAN&gt;secret = cache.get_secret_string(&lt;/SPAN&gt;&lt;SPAN&gt;'secretname'&lt;/SPAN&gt;&lt;SPAN&gt;)&lt;/SPAN&gt;&lt;/DIV&gt;&lt;/DIV&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
    <pubDate>Tue, 31 Oct 2023 15:35:41 GMT</pubDate>
    <dc:creator>AClarkson</dc:creator>
    <dc:date>2023-10-31T15:35:41Z</dc:date>
    <item>
      <title>AWS Secrets Manager access</title>
      <link>https://community.databricks.com/t5/administration-architecture/aws-secrets-manager-access/m-p/50197#M568</link>
      <description>&lt;P&gt;Hi&lt;/P&gt;&lt;P&gt;We're in the process of moving over from Databricks in Azure to AWS.&lt;/P&gt;&lt;P&gt;I am trying to establish a method of accessing secrets from AWS Secrets Manager (we were using Azure KeyVault) and understand this can be done with boto as suggested from AWS.&lt;/P&gt;&lt;P&gt;We have created all of the relevant IAM roles, instance profiles etc.&amp;nbsp; Accessing S3 with this method is working OK.&lt;/P&gt;&lt;P&gt;However, whenever I try to interact with Secrets Manager I keep getting the "&lt;SPAN class=""&gt;NoCredentialsError&lt;/SPAN&gt;&lt;SPAN&gt;: Unable to locate credentials" error.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;The role assigned to the EC2 after creation has the relevant permission to read/write from Secrets Manager.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;I'm at a dead end and appreciate any help.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Many Thanks&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Example code:&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;DIV&gt;&lt;DIV&gt;&lt;SPAN&gt;import&lt;/SPAN&gt;&lt;SPAN&gt; botocore &lt;/SPAN&gt;&lt;/DIV&gt;&lt;DIV&gt;&lt;SPAN&gt;import&lt;/SPAN&gt;&lt;SPAN&gt; botocore.session &lt;/SPAN&gt;&lt;/DIV&gt;&lt;DIV&gt;&lt;SPAN&gt;from&lt;/SPAN&gt;&lt;SPAN&gt; aws_secretsmanager_caching &lt;/SPAN&gt;&lt;SPAN&gt;import&lt;/SPAN&gt;&lt;SPAN&gt; SecretCache, SecretCacheConfig &lt;/SPAN&gt;&lt;/DIV&gt;&lt;BR /&gt;&lt;DIV&gt;&lt;SPAN&gt;client = botocore.session.get_session().create_client(&lt;/SPAN&gt;&lt;SPAN&gt;'secretsmanager'&lt;/SPAN&gt;&lt;SPAN&gt;, region_name=&lt;/SPAN&gt;&lt;SPAN&gt;'aws-region'&lt;/SPAN&gt;&lt;SPAN&gt;)&lt;/SPAN&gt;&lt;/DIV&gt;&lt;DIV&gt;&lt;SPAN&gt;cache_config = SecretCacheConfig()&lt;/SPAN&gt;&lt;/DIV&gt;&lt;DIV&gt;&lt;SPAN&gt;cache = SecretCache( config = cache_config, client = client)&lt;/SPAN&gt;&lt;/DIV&gt;&lt;BR /&gt;&lt;DIV&gt;&lt;SPAN&gt;secret = cache.get_secret_string(&lt;/SPAN&gt;&lt;SPAN&gt;'secretname'&lt;/SPAN&gt;&lt;SPAN&gt;)&lt;/SPAN&gt;&lt;/DIV&gt;&lt;/DIV&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Tue, 31 Oct 2023 15:35:41 GMT</pubDate>
      <guid>https://community.databricks.com/t5/administration-architecture/aws-secrets-manager-access/m-p/50197#M568</guid>
      <dc:creator>AClarkson</dc:creator>
      <dc:date>2023-10-31T15:35:41Z</dc:date>
    </item>
    <item>
      <title>Re: AWS Secrets Manager access</title>
      <link>https://community.databricks.com/t5/administration-architecture/aws-secrets-manager-access/m-p/50253#M572</link>
      <description>&lt;P&gt;I should add I'm running this on a shared cluster and therefore suspect the following constraints are impeding me:&lt;/P&gt;&lt;P&gt;Taken from:&amp;nbsp;&amp;nbsp;&lt;A href="https://docs.databricks.com/en/clusters/configure.html" target="_blank" rel="noopener"&gt;https://docs.databricks.com/en/clusters/configure.html&lt;/A&gt;&lt;/P&gt;&lt;UL class=""&gt;&lt;LI&gt;&lt;P&gt;Cannot connect to the instance metadata service (IMDS), other EC2 instances, or any other services running in the Databricks VPC.&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;&lt;P&gt;This prevents access to any service that uses the IMDS, such as boto3 and the AWS CLI.&lt;/P&gt;&lt;/LI&gt;&lt;/UL&gt;&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;So begs the question, how do I interface with AWS Secrets Manager from a shared cluster ?&lt;/P&gt;&lt;P&gt;Thanks!&lt;/P&gt;</description>
      <pubDate>Wed, 01 Nov 2023 10:47:04 GMT</pubDate>
      <guid>https://community.databricks.com/t5/administration-architecture/aws-secrets-manager-access/m-p/50253#M572</guid>
      <dc:creator>AClarkson</dc:creator>
      <dc:date>2023-11-01T10:47:04Z</dc:date>
    </item>
    <item>
      <title>Re: AWS Secrets Manager access</title>
      <link>https://community.databricks.com/t5/administration-architecture/aws-secrets-manager-access/m-p/52649#M606</link>
      <description>&lt;P&gt;Thanks Kaniz for your comprehensive response.&lt;/P&gt;&lt;P&gt;We are going to use the Databricks secrets for the time being.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Fri, 17 Nov 2023 08:49:34 GMT</pubDate>
      <guid>https://community.databricks.com/t5/administration-architecture/aws-secrets-manager-access/m-p/52649#M606</guid>
      <dc:creator>AClarkson</dc:creator>
      <dc:date>2023-11-17T08:49:34Z</dc:date>
    </item>
    <item>
      <title>Re: AWS Secrets Manager access</title>
      <link>https://community.databricks.com/t5/administration-architecture/aws-secrets-manager-access/m-p/83138#M1579</link>
      <description>&lt;P&gt;Hi,&lt;BR /&gt;Thank you for this suggestion. I am trying to implement this on DBR14.3 using the&amp;nbsp;&lt;SPAN&gt;AWS Systems Manager Parameter Store, does require authentication. I tried both using the instance profile as well as environment variables, but neither work:&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;1) The instance profile approach seems to cause the same issue for&amp;nbsp;AWS Systems Manager Parameter Store as when using AWS Secrets Manager&amp;nbsp;(same IMDS problem)?&lt;BR /&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;2) Storing&amp;nbsp;"the access key ID and secret access key in a configuration file or environment variables" is not propagating to the workers or executors. I tried setting these both as cluster environment variables as well as in the spark config, but that did not work. Side note: I do not like this approach since I am not making credentials of one single service account accessible to "persons" using the databricks cluster. The instance profile seems a much more secure approach.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;How can I make this work? We are using a shared UC enabled cluster on DBR 14.3&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Best,&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Heiko&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 15 Aug 2024 21:05:34 GMT</pubDate>
      <guid>https://community.databricks.com/t5/administration-architecture/aws-secrets-manager-access/m-p/83138#M1579</guid>
      <dc:creator>heiko_u</dc:creator>
      <dc:date>2024-08-15T21:05:34Z</dc:date>
    </item>
  </channel>
</rss>

