https://community.databricks.com/t5/data-engineering/injecting-databricks-secrets-into-databricks-asset-bundles/m-p/134098#M50018 <P>Hey <a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/149877">@daan_dw</a>&nbsp;,</P><P>Possible reason for your problem:</P><P>Databricks Asset Bundles use Terraform under the hood, and Terraform cannot resolve Databricks secret references (like ${secrets.aws_secrets.cluster_profile_arn})<BR />at deployment time. Secrets are only accessible at runtime within notebooks and jobs, not during the bundle deployment phase when Terraform is provisioning<BR />resources. This is why you get the "undeclared resource" error - Terraform expects all configuration values to be resolved before creating resources.</P><P>Possible Solutions:</P><P>Use Bundle Variables with Environment Variables: Define your secret as a variable in databricks.yml and inject it using the BUNDLE_VAR_ prefix during deployment.<BR />Reference it with ${var.variable_name} in your configuration.</P><P>CI/CD Platform Secrets (Recommended): Store secrets in your CI/CD platform (GitHub Secrets, Azure DevOps Variables, etc.) and inject them during automated<BR />deployments using environment variables. This keeps secrets secure and outside version control.</P><P>Target-Specific Configuration: For non-sensitive values or different environments, define values directly in target sections of your bundle configuration for dev,<BR />staging, and prod environments.</P><P>Variable Override Files: Create a local .databricks/bundle/variables.json file (added to .gitignore) for development purposes.</P><P>The key is to never reference Databricks secrets directly in bundle configuration and instead use bundle variables that are populated externally at deployment time.</P> Tue, 07 Oct 2025 16:46:58 GMT HariSankar 2025-10-07T16:46:58Z https://community.databricks.com/t5/data-engineering/injecting-databricks-secrets-into-databricks-asset-bundles/m-p/134094#M50017 <P>Hey,</P><P>I want to inject Databricks secrets into my Databricks Asset Bundles in order to avoid exposing secrets.<BR />I tried it as shown in the code block below but it gives the error below the code block.<BR />When I hardcode my instance_profile_arn it does work.<BR />How can I inject My Databricks secrets in my Databricks Asset Bundle?<BR />Many thanks!</P><LI-CODE lang="markup">instance_profile_arn: ${secrets.aws_secrets.cluster_profile_arn}</LI-CODE><P>Error: exit status 1</P><P>Error: Reference to undeclared resource</P><P>on bundle.tf.json line 42, in resource.databricks_job.running_prd_xml_files_sftp.job_cluster[0].new_cluster.aws_attributes:<BR />42: "instance_profile_arn": "${secrets.aws_secrets.cluster_profile_arn}",</P><P>A managed resource "secrets" "aws_secrets" has not been declared in the root<BR />module.</P><P>&nbsp;</P> Tue, 07 Oct 2025 15:55:46 GMT https://community.databricks.com/t5/data-engineering/injecting-databricks-secrets-into-databricks-asset-bundles/m-p/134094#M50017 daan_dw 2025-10-07T15:55:46Z https://community.databricks.com/t5/data-engineering/injecting-databricks-secrets-into-databricks-asset-bundles/m-p/134098#M50018 <P>Hey <a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/149877">@daan_dw</a>&nbsp;,</P><P>Possible reason for your problem:</P><P>Databricks Asset Bundles use Terraform under the hood, and Terraform cannot resolve Databricks secret references (like ${secrets.aws_secrets.cluster_profile_arn})<BR />at deployment time. Secrets are only accessible at runtime within notebooks and jobs, not during the bundle deployment phase when Terraform is provisioning<BR />resources. This is why you get the "undeclared resource" error - Terraform expects all configuration values to be resolved before creating resources.</P><P>Possible Solutions:</P><P>Use Bundle Variables with Environment Variables: Define your secret as a variable in databricks.yml and inject it using the BUNDLE_VAR_ prefix during deployment.<BR />Reference it with ${var.variable_name} in your configuration.</P><P>CI/CD Platform Secrets (Recommended): Store secrets in your CI/CD platform (GitHub Secrets, Azure DevOps Variables, etc.) and inject them during automated<BR />deployments using environment variables. This keeps secrets secure and outside version control.</P><P>Target-Specific Configuration: For non-sensitive values or different environments, define values directly in target sections of your bundle configuration for dev,<BR />staging, and prod environments.</P><P>Variable Override Files: Create a local .databricks/bundle/variables.json file (added to .gitignore) for development purposes.</P><P>The key is to never reference Databricks secrets directly in bundle configuration and instead use bundle variables that are populated externally at deployment time.</P> Tue, 07 Oct 2025 16:46:58 GMT https://community.databricks.com/t5/data-engineering/injecting-databricks-secrets-into-databricks-asset-bundles/m-p/134098#M50018 HariSankar 2025-10-07T16:46:58Z