https://community.databricks.com/t5/data-engineering/i-f-security-about-using-medallion-architecture/m-p/139507#M51218 <P>I'll try to summarize and go directly to the key points as I see this:</P><P>- Client to S3 <SPAN><span class="lia-unicode-emoji" title=":backhand_index_pointing_right:">👉</span>&nbsp;</SPAN>SAS Token or OAUTH 2.0 with Service to Service authentication (preferred)</P><P>- Databricks to S3&nbsp;<SPAN><span class="lia-unicode-emoji" title=":backhand_index_pointing_right:">👉</span> Use Service Principal or Managed Identities (preferred)</SPAN></P><P><SPAN>- Bronze/Silver/Gold&nbsp;<span class="lia-unicode-emoji" title=":backhand_index_pointing_right:">👉</span> Create different catalogs per layer or different schemas/databases per catalog to place bronze, silver and gold layers. All of them under Unity Catalog governance. Then, you can set proper permissions for users, groups or service principals depending on layer they should be allowed to interact with.</SPAN></P><P><SPAN>- Serverless cluster&nbsp;<span class="lia-unicode-emoji" title=":backhand_index_pointing_right:">👉</span> You can set in "permissions" who can access and how. Establish as needed.</SPAN></P> Tue, 18 Nov 2025 10:53:26 GMT Coffee77 2025-11-18T10:53:26Z https://community.databricks.com/t5/data-engineering/i-f-security-about-using-medallion-architecture/m-p/139462#M51209 <P>I’m new to writing requirement definitions, and I’d like to ask a question about interface (I/F) security.</P><P><STRONG>My question is:</STRONG><BR />Do I need to define the authentication and security mechanisms (such as OAuth2, Managed Identity, Service Principals, etc.) <STRONG>between the systems shown below</STRONG>? Or do I also need to define security <STRONG>between the bronze, silver, and gold layers</STRONG> within the lakehouse?</P><P><STRONG>Our data pipeline is:</STRONG><BR />VPC on AWS (client system) → S3 → Lakehouse (bronze → silver → gold) → Serverless compute</P> Tue, 18 Nov 2025 04:56:50 GMT https://community.databricks.com/t5/data-engineering/i-f-security-about-using-medallion-architecture/m-p/139462#M51209 ShanQiwei 2025-11-18T04:56:50Z https://community.databricks.com/t5/data-engineering/i-f-security-about-using-medallion-architecture/m-p/139505#M51217 <P><a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/197632">@ShanQiwei</a>&nbsp;</P><TABLE width="1086"><TBODY><TR><TD width="296">Interface or Layer</TD><TD width="193">Should You Define Security?</TD><TD width="211">Typical Mechanisms</TD><TD width="386">Reference Links</TD></TR><TR><TD width="296">VPC → S3</TD><TD width="193">Yes</TD><TD width="211">IAM roles, service accounts, credentials, policies</TD><TD width="386"><A href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html" target="_blank">https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html</A></TD></TR><TR><TD width="296">S3 → Lakehouse</TD><TD width="193">Yes</TD><TD width="211">Service principals, managed identities, access keys</TD><TD width="386"><A href="https://docs.databricks.com/security/access-control/service-principals.html" target="_blank">https://docs.databricks.com/security/access-control/service-principals.html</A></TD></TR><TR><TD width="296">Lakehouse Bronze → Silver → Gold</TD><TD width="193">Sometimes (Context-Driven)</TD><TD width="211">Platform roles, catalog permissions, ACLs, data masking</TD><TD width="386"><A href="https://docs.databricks.com/data-governance/unity-catalog/index.html" target="_blank">https://docs.databricks.com/data-governance/unity-catalog/index.html</A></TD></TR><TR><TD width="296">Lakehouse → Serverless Compute</TD><TD width="193">Yes</TD><TD width="211">Managed identities, OAuth2, tokens, ACLs</TD><TD width="386"><A href="https://learn.microsoft.com/en-us/azure/architecture/serverless/security-serverless-applications" target="_blank">https://learn.microsoft.com/en-us/azure/architecture/serverless/security-serverless-applications</A></TD></TR></TBODY></TABLE> Tue, 18 Nov 2025 10:40:17 GMT https://community.databricks.com/t5/data-engineering/i-f-security-about-using-medallion-architecture/m-p/139505#M51217 ManojkMohan 2025-11-18T10:40:17Z https://community.databricks.com/t5/data-engineering/i-f-security-about-using-medallion-architecture/m-p/139507#M51218 <P>I'll try to summarize and go directly to the key points as I see this:</P><P>- Client to S3 <SPAN><span class="lia-unicode-emoji" title=":backhand_index_pointing_right:">👉</span>&nbsp;</SPAN>SAS Token or OAUTH 2.0 with Service to Service authentication (preferred)</P><P>- Databricks to S3&nbsp;<SPAN><span class="lia-unicode-emoji" title=":backhand_index_pointing_right:">👉</span> Use Service Principal or Managed Identities (preferred)</SPAN></P><P><SPAN>- Bronze/Silver/Gold&nbsp;<span class="lia-unicode-emoji" title=":backhand_index_pointing_right:">👉</span> Create different catalogs per layer or different schemas/databases per catalog to place bronze, silver and gold layers. All of them under Unity Catalog governance. Then, you can set proper permissions for users, groups or service principals depending on layer they should be allowed to interact with.</SPAN></P><P><SPAN>- Serverless cluster&nbsp;<span class="lia-unicode-emoji" title=":backhand_index_pointing_right:">👉</span> You can set in "permissions" who can access and how. Establish as needed.</SPAN></P> Tue, 18 Nov 2025 10:53:26 GMT https://community.databricks.com/t5/data-engineering/i-f-security-about-using-medallion-architecture/m-p/139507#M51218 Coffee77 2025-11-18T10:53:26Z