https://community.databricks.com/t5/data-engineering/managing-secrets-for-different-groups-in-a-databricks-workspace/m-p/101648#M40759 <P class="_1t7bu9h1 paragraph">Managing secrets within Databricks when you have different groups or teams in the same workspace can be approached in several ways, each with its own advantages. Here are some best practices and methods based on the context provided:</P> <OL> <LI> <P class="_1t7bu9h1 paragraph"><SPAN><STRONG>Using Azure Key Vaults:</STRONG></SPAN></P> <UL class="_1t7bu9h7 _1t7bu9h2"> <LI><STRONG>Separate Key Vaults for Each Group/User:</STRONG> You can create separate Azure Key Vaults for each group or user and then integrate them into Databricks. This method allows for fine-grained access control and isolation of secrets. Each Key Vault can have its own access policies, ensuring that only the intended group or user can access the secrets.</LI> <LI><SPAN><STRONG>Azure Key Vault-backed Secret Scopes:</STRONG> Databricks allows you to create secret scopes that are backed by Azure Key Vault. This means that secrets are stored in Azure Key Vault and accessed through Databricks. This method leverages Azure's robust security features and integrates seamlessly with Databricks.</SPAN></LI> </UL> </LI> <LI> <P class="_1t7bu9h1 paragraph"><SPAN><STRONG>Databricks-backed Secret Scopes:</STRONG></SPAN></P> <UL class="_1t7bu9h7 _1t7bu9h2"> <LI><SPAN><STRONG>Creating Secret Scopes with Different Permissions:</STRONG> You can create Databricks-backed secret scopes and assign different permissions to each group or user. This method is straightforward and allows you to manage secrets directly within Databricks. You can use the Databricks CLI or the Secrets API to create and manage these scopes.</SPAN></LI> <LI><SPAN><STRONG>Managing Permissions:</STRONG> By default, the user who creates the secret scope has the MANAGE permission, which allows them to read, write, and manage permissions on the scope. You can grant other users or groups specific permissions (READ, WRITE, MANAGE) on the secret scope using the Databricks CLI or Secrets API.</SPAN></LI> </UL> </LI> <LI> <P class="_1t7bu9h1 paragraph"><SPAN><STRONG>Automation of Secret Management:</STRONG></SPAN></P> <UL class="_1t7bu9h7 _1t7bu9h2"> <LI><STRONG>Using Terraform:</STRONG> Terraform can be used to automate the creation and management of Azure Key Vaults, secret scopes, and access policies. This approach ensures that your infrastructure is defined as code and can be versioned and managed consistently.</LI> <LI><STRONG>ARM Templates:</STRONG> Azure Resource Manager (ARM) templates can also be used to automate the deployment and configuration of Azure Key Vaults and their access policies.</LI> <LI><SPAN><STRONG>Databricks API:</STRONG> The Databricks API can be used to programmatically create and manage secret scopes and secrets. This can be integrated into your CI/CD pipelines to ensure that secrets are managed dynamically as teams and their access needs change</SPAN></LI> </UL> </LI> </OL> Tue, 10 Dec 2024 18:23:33 GMT Walter_C 2024-12-10T18:23:33Z https://community.databricks.com/t5/data-engineering/managing-secrets-for-different-groups-in-a-databricks-workspace/m-p/88263#M37522 <P>Hi everyone,</P><P>I'm looking for some advice on how people are managing secrets within Databricks when you have <STRONG>different groups</STRONG> (or teams) in the <STRONG>same workspace</STRONG>, each requiring access to different sets of secrets.</P><P>Here’s the challenge:</P><UL><LI>We have multiple groups within the same Databricks workspace, and each group needs different sets of secrets.</LI><LI>Some groups or even individual users need specific secrets with tightly controlled access.</LI></UL><H3>My Questions:</H3><OL><LI><STRONG>Do you create separate Azure Key Vaults</STRONG> for each group or user, and then integrate them into Databricks? Or,</LI><LI><STRONG>Do you use Databricks-backed secret scopes</STRONG> with different permissions per group?</LI><LI>Is there a <STRONG>best practice</STRONG> to ensure security while maintaining flexibility?</LI></OL><P>Additionally, if anyone has <STRONG>automated this process</STRONG>, I’d love to hear how:</P><UL><LI><STRONG>Are you automating secret management</STRONG> using tools like Terraform, ARM templates, or the Databricks API?</LI><LI>Any tips on managing secret scope permissions dynamically as teams and their access needs change?</LI></UL><P>Thanks!</P> Wed, 04 Sep 2024 10:01:19 GMT https://community.databricks.com/t5/data-engineering/managing-secrets-for-different-groups-in-a-databricks-workspace/m-p/88263#M37522 Direo 2024-09-04T10:01:19Z https://community.databricks.com/t5/data-engineering/managing-secrets-for-different-groups-in-a-databricks-workspace/m-p/101648#M40759 <P class="_1t7bu9h1 paragraph">Managing secrets within Databricks when you have different groups or teams in the same workspace can be approached in several ways, each with its own advantages. Here are some best practices and methods based on the context provided:</P> <OL> <LI> <P class="_1t7bu9h1 paragraph"><SPAN><STRONG>Using Azure Key Vaults:</STRONG></SPAN></P> <UL class="_1t7bu9h7 _1t7bu9h2"> <LI><STRONG>Separate Key Vaults for Each Group/User:</STRONG> You can create separate Azure Key Vaults for each group or user and then integrate them into Databricks. This method allows for fine-grained access control and isolation of secrets. Each Key Vault can have its own access policies, ensuring that only the intended group or user can access the secrets.</LI> <LI><SPAN><STRONG>Azure Key Vault-backed Secret Scopes:</STRONG> Databricks allows you to create secret scopes that are backed by Azure Key Vault. This means that secrets are stored in Azure Key Vault and accessed through Databricks. This method leverages Azure's robust security features and integrates seamlessly with Databricks.</SPAN></LI> </UL> </LI> <LI> <P class="_1t7bu9h1 paragraph"><SPAN><STRONG>Databricks-backed Secret Scopes:</STRONG></SPAN></P> <UL class="_1t7bu9h7 _1t7bu9h2"> <LI><SPAN><STRONG>Creating Secret Scopes with Different Permissions:</STRONG> You can create Databricks-backed secret scopes and assign different permissions to each group or user. This method is straightforward and allows you to manage secrets directly within Databricks. You can use the Databricks CLI or the Secrets API to create and manage these scopes.</SPAN></LI> <LI><SPAN><STRONG>Managing Permissions:</STRONG> By default, the user who creates the secret scope has the MANAGE permission, which allows them to read, write, and manage permissions on the scope. You can grant other users or groups specific permissions (READ, WRITE, MANAGE) on the secret scope using the Databricks CLI or Secrets API.</SPAN></LI> </UL> </LI> <LI> <P class="_1t7bu9h1 paragraph"><SPAN><STRONG>Automation of Secret Management:</STRONG></SPAN></P> <UL class="_1t7bu9h7 _1t7bu9h2"> <LI><STRONG>Using Terraform:</STRONG> Terraform can be used to automate the creation and management of Azure Key Vaults, secret scopes, and access policies. This approach ensures that your infrastructure is defined as code and can be versioned and managed consistently.</LI> <LI><STRONG>ARM Templates:</STRONG> Azure Resource Manager (ARM) templates can also be used to automate the deployment and configuration of Azure Key Vaults and their access policies.</LI> <LI><SPAN><STRONG>Databricks API:</STRONG> The Databricks API can be used to programmatically create and manage secret scopes and secrets. This can be integrated into your CI/CD pipelines to ensure that secrets are managed dynamically as teams and their access needs change</SPAN></LI> </UL> </LI> </OL> Tue, 10 Dec 2024 18:23:33 GMT https://community.databricks.com/t5/data-engineering/managing-secrets-for-different-groups-in-a-databricks-workspace/m-p/101648#M40759 Walter_C 2024-12-10T18:23:33Z