<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: How to store credentials in Databricks and assign them to job parameters in Data Engineering</title>
    <link>https://community.databricks.com/t5/data-engineering/how-to-store-credentials-in-databricks-and-assign-them-to-job/m-p/160083#M54856</link>
    <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/149095"&gt;@shan-databricks&lt;/a&gt;,&lt;/P&gt;
&lt;P data-pm-slice="1 1 []"&gt;You can do this in Databricks, but it's recommended to separate secrets from runtime parameters.&lt;/P&gt;
&lt;P&gt;For SQL Server and PostgreSQL, the modern approach is usually a &lt;A href="https://docs.databricks.com/aws/en/connect/jdbc-connection" rel="noopener noreferrer nofollow" target="_blank"&gt;JDBC Unity Catalog connection&lt;/A&gt;. A JDBC UC connection stores the JDBC driver, URL path, and credentials in a governed connection object, works across supported compute types, and keeps credentials hidden from the querying user. In that pattern, your job parameters only need to carry non-sensitive values such as the connection name, schema, table, or query.&lt;/P&gt;
&lt;P&gt;If the requirement is read-only access, Databricks generally recommends &lt;A href="https://docs.databricks.com/aws/en/query-federation/database-federation" rel="noopener noreferrer nofollow" target="_blank"&gt;Lakehouse Federation&lt;/A&gt; instead of raw JDBC for supported sources such as PostgreSQL and SQL Server.&lt;/P&gt;
&lt;P&gt;For MongoDB, I would usually recommend using the &lt;A href="https://www.mongodb.com/docs/spark-connector/current/" rel="noopener noreferrer nofollow" target="_blank"&gt;MongoDB Spark connector&lt;/A&gt; together with &lt;A href="https://docs.databricks.com/aws/en/security/secrets/" rel="noopener noreferrer nofollow" target="_blank"&gt;Databricks secrets&lt;/A&gt; rather than passing credentials as job parameters. Databricks documents MongoDB as a third-party Spark connector use case, and custom third-party Spark JARs are supported on dedicated clusters only, not on Databricks SQL, serverless, or standard access mode clusters.&lt;/P&gt;
&lt;P&gt;More generally, use &lt;A href="https://docs.databricks.com/aws/en/jobs/parameters" rel="noopener noreferrer nofollow" target="_blank"&gt;job parameters&lt;/A&gt; only for non-secret runtime values such as source_system, connection_name, database, collection, table, or query. Databricks explicitly notes that job parameters can be overridden at run time and that a default parameter value is not a security control.&lt;/P&gt;
&lt;P&gt;If you are using a notebook task, a common pattern is:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Retrieve secrets with dbutils.secrets.get()&lt;/LI&gt;
&lt;LI&gt;Retrieve job parameters with dbutils.widgets.get()&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Databricks also supports referencing secrets in &lt;A href="https://docs.databricks.com/aws/en/security/secrets/secrets-spark-conf-env-var" rel="noopener noreferrer nofollow" target="_blank"&gt;Spark configuration properties or environment variables&lt;/A&gt; using {{secrets/scope/key}}, but this comes with additional security considerations and is usually not the first choice unless you specifically need cluster-level or init-script-based injection.&lt;/P&gt;
&lt;P class="wnfdntt _1ibi0s3f5 _1ibi0s3ce _1ibi0s3ea"&gt;A few example patterns below may help make this more concrete.&lt;/P&gt;
&lt;P class="wnfdntt _1ibi0s3f5 _1ibi0s3ce _1ibi0s3ea"&gt;For SQL Server/PostgreSQL using a JDBC Unity Catalog connection:&lt;/P&gt;
&lt;PRE class="_1ibi0s3d1" dir="auto"&gt;&lt;CODE class="language-python"&gt;connection_name = dbutils.widgets.get("connection_name")
table_name = dbutils.widgets.get("table_name")

df = (
    spark.read.format("jdbc")
    .option("databricks.connection", connection_name)
    .option("dbtable", table_name)
    .load()
)
&lt;/CODE&gt;&lt;/PRE&gt;
&lt;P class="wnfdntt _1ibi0s3f5 _1ibi0s3ce _1ibi0s3ea"&gt;This is the pattern Databricks recommends when migrating existing Spark JDBC code...move the URL and credentials into the connection object, and pass only runtime values like the connection name and table/query from the job.&lt;/P&gt;
&lt;P class="wnfdntt _1ibi0s3f5 _1ibi0s3ce _1ibi0s3ea"&gt;For Notebook parameters + Databricks secrets:&lt;/P&gt;
&lt;PRE class="_1ibi0s3d1" dir="auto"&gt;&lt;CODE class="language-python"&gt;source_system = dbutils.widgets.get("source_system")
database_name = dbutils.widgets.get("database_name")
username = dbutils.secrets.get(scope="ext-sources", key="username")
password = dbutils.secrets.get(scope="ext-sources", key="password")
&lt;/CODE&gt;&lt;/PRE&gt;
&lt;P class="wnfdntt _1ibi0s3f5 _1ibi0s3ce _1ibi0s3ea"&gt;This works well when you want the job to stay parameter-driven, but still keep credentials in a secret scope instead of the job definition.&lt;/P&gt;
&lt;P class="wnfdntt _1ibi0s3f5 _1ibi0s3ce _1ibi0s3ea"&gt;For MongoDB using the Spark connector:&lt;/P&gt;
&lt;PRE class="_1ibi0s3d1" dir="auto"&gt;&lt;CODE class="language-python"&gt;mongo_uri = dbutils.secrets.get(scope="ext-sources", key="mongodb-uri")
database_name = dbutils.widgets.get("database_name")
collection_name = dbutils.widgets.get("collection_name")

df = (
    spark.read.format("mongodb")
    .option("connection.uri", mongo_uri)
    .option("database", database_name)
    .option("collection", collection_name)
    .load()
)
&lt;/CODE&gt;&lt;/PRE&gt;
&lt;P class="wnfdntt _1ibi0s3f5 _1ibi0s3ce _1ibi0s3ea"&gt;For MongoDB, the connector-based approach is the better fit than trying to force everything through JDBC-style job parameters, especially since Databricks documents MongoDB as a third-party Spark connector use case.&lt;/P&gt;
&lt;P class="wnfdntt _1ibi0s3f5 _1ibi0s3ce _1ibi0s3ea"&gt;For SQL Server using the bundled connector directly&lt;/P&gt;
&lt;PRE class="_1ibi0s3d1" dir="auto"&gt;&lt;CODE class="language-python"&gt;df = (
    spark.read.format("sqlserver")
    .option("host", dbutils.widgets.get("host"))
    .option("user", dbutils.secrets.get(scope="ext-sources", key="sqlserver-user"))
    .option("password", dbutils.secrets.get(scope="ext-sources", key="sqlserver-password"))
    .option("database", dbutils.widgets.get("database_name"))
    .option("query", dbutils.widgets.get("source_query"))
    .load()
)
&lt;/CODE&gt;&lt;/PRE&gt;
&lt;P class="wnfdntt _1ibi0s3f5 _1ibi0s3ce _1ibi0s3ea"&gt;Databricks also documents this bundled-connector pattern for SQL Server. If you do this, the same principle applies.. as in...keep secrets in secret scopes, and use job parameters only for non-sensitive runtime inputs.&lt;/P&gt;
&lt;P class="p1"&gt;&lt;FONT size="2" color="#FF6600"&gt;&lt;STRONG&gt;&lt;I&gt;If this answer resolves your question, could you mark it as “Accept as Solution”? That helps other users quickly find the correct fix.&lt;/I&gt;&lt;/STRONG&gt;&lt;/FONT&gt;&lt;I&gt;&lt;/I&gt;&lt;/P&gt;</description>
    <pubDate>Mon, 22 Jun 2026 10:53:11 GMT</pubDate>
    <dc:creator>Ashwin_DSA</dc:creator>
    <dc:date>2026-06-22T10:53:11Z</dc:date>
    <item>
      <title>How to store credentials in Databricks and assign them to job parameters</title>
      <link>https://community.databricks.com/t5/data-engineering/how-to-store-credentials-in-databricks-and-assign-them-to-job/m-p/160025#M54847</link>
      <description>&lt;P&gt;&lt;SPAN&gt;I am using SQL Server, Postgres, and MongoDB as data sources, connecting through Spark and JDBC connector. I would like to store the credentials and connection details in Databricks, pass them as job parameters, and need guidance on possible approaches to achieve this.&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 22 Jun 2026 04:42:45 GMT</pubDate>
      <guid>https://community.databricks.com/t5/data-engineering/how-to-store-credentials-in-databricks-and-assign-them-to-job/m-p/160025#M54847</guid>
      <dc:creator>shan-databricks</dc:creator>
      <dc:date>2026-06-22T04:42:45Z</dc:date>
    </item>
    <item>
      <title>Re: How to store credentials in Databricks and assign them to job parameters</title>
      <link>https://community.databricks.com/t5/data-engineering/how-to-store-credentials-in-databricks-and-assign-them-to-job/m-p/160029#M54848</link>
      <description>&lt;P&gt;&lt;STRONG&gt;Databricks Secrets&lt;/STRONG&gt;&lt;SPAN&gt;&amp;nbsp;is the valid approach for storing sensitive credentials. Secrets are encrypted, access-controlled, and can be referenced in job parameters and notebooks without exposing values in code or logs. You can follow below&lt;/SPAN&gt;&lt;/P&gt;&lt;OL&gt;&lt;LI&gt;&lt;SPAN&gt;You can &lt;STRONG&gt;Create a Secret Scope&lt;/STRONG&gt;&amp;nbsp;-&amp;nbsp;one time setup.&lt;/SPAN&gt;&lt;/LI&gt;&lt;LI&gt;&lt;SPAN&gt;Attach &amp;amp; &lt;STRONG&gt;store&lt;/STRONG&gt; the various credentials&lt;/SPAN&gt;&lt;/LI&gt;&lt;LI&gt;&lt;STRONG&gt;Reference Secrets&lt;/STRONG&gt; in the&amp;nbsp;Notebooks/Code like below&lt;/LI&gt;&lt;/OL&gt;&lt;LI-CODE lang="python"&gt;# SQL Server
sqlserver_url = f"jdbc:sqlserver://{dbutils.secrets.get('scope-name', 'sqlserver-host')};database={dbutils.secrets.get('scope-name', 'sqlserver-database')}"
sqlserver_properties = {
    "user": dbutils.secrets.get("scope-name", "sqlserver-user"),
    "password": dbutils.secrets.get("scope-name", "sqlserver-password")
}

df_sqlserver = spark.read.jdbc(url=sqlserver_url, table="schema.table", properties=sqlserver_properties)

# Postgres
postgres_url = f"jdbc:postgresql://{dbutils.secrets.get('scope-name', 'postgres-host')}:5432/database"
postgres_properties = {
    "user": dbutils.secrets.get("scope-name", "postgres-user"),
    "password": dbutils.secrets.get("scope-name", "postgres-password"),
}

df_postgres = spark.read.jdbc(url=postgres_url, table="schema.table", properties=postgres_properties)

# MongoDB
mongo_uri = dbutils.secrets.get("scope-name", "mongodb-connection-string")
df_mongo = spark.read.format("mongodb")\
    .option("connection.uri", mongo_uri)\
    .option("database", "db_name")\
    .option("collection", "collection_name")\
    .load()&lt;/LI-CODE&gt;&lt;P&gt;More details &lt;A href="https://docs.databricks.com/aws/en/security/secrets/example-secret-workflow" target="_self"&gt;here&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 22 Jun 2026 05:02:48 GMT</pubDate>
      <guid>https://community.databricks.com/t5/data-engineering/how-to-store-credentials-in-databricks-and-assign-them-to-job/m-p/160029#M54848</guid>
      <dc:creator>balajij8</dc:creator>
      <dc:date>2026-06-22T05:02:48Z</dc:date>
    </item>
    <item>
      <title>Re: How to store credentials in Databricks and assign them to job parameters</title>
      <link>https://community.databricks.com/t5/data-engineering/how-to-store-credentials-in-databricks-and-assign-them-to-job/m-p/160083#M54856</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/149095"&gt;@shan-databricks&lt;/a&gt;,&lt;/P&gt;
&lt;P data-pm-slice="1 1 []"&gt;You can do this in Databricks, but it's recommended to separate secrets from runtime parameters.&lt;/P&gt;
&lt;P&gt;For SQL Server and PostgreSQL, the modern approach is usually a &lt;A href="https://docs.databricks.com/aws/en/connect/jdbc-connection" rel="noopener noreferrer nofollow" target="_blank"&gt;JDBC Unity Catalog connection&lt;/A&gt;. A JDBC UC connection stores the JDBC driver, URL path, and credentials in a governed connection object, works across supported compute types, and keeps credentials hidden from the querying user. In that pattern, your job parameters only need to carry non-sensitive values such as the connection name, schema, table, or query.&lt;/P&gt;
&lt;P&gt;If the requirement is read-only access, Databricks generally recommends &lt;A href="https://docs.databricks.com/aws/en/query-federation/database-federation" rel="noopener noreferrer nofollow" target="_blank"&gt;Lakehouse Federation&lt;/A&gt; instead of raw JDBC for supported sources such as PostgreSQL and SQL Server.&lt;/P&gt;
&lt;P&gt;For MongoDB, I would usually recommend using the &lt;A href="https://www.mongodb.com/docs/spark-connector/current/" rel="noopener noreferrer nofollow" target="_blank"&gt;MongoDB Spark connector&lt;/A&gt; together with &lt;A href="https://docs.databricks.com/aws/en/security/secrets/" rel="noopener noreferrer nofollow" target="_blank"&gt;Databricks secrets&lt;/A&gt; rather than passing credentials as job parameters. Databricks documents MongoDB as a third-party Spark connector use case, and custom third-party Spark JARs are supported on dedicated clusters only, not on Databricks SQL, serverless, or standard access mode clusters.&lt;/P&gt;
&lt;P&gt;More generally, use &lt;A href="https://docs.databricks.com/aws/en/jobs/parameters" rel="noopener noreferrer nofollow" target="_blank"&gt;job parameters&lt;/A&gt; only for non-secret runtime values such as source_system, connection_name, database, collection, table, or query. Databricks explicitly notes that job parameters can be overridden at run time and that a default parameter value is not a security control.&lt;/P&gt;
&lt;P&gt;If you are using a notebook task, a common pattern is:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Retrieve secrets with dbutils.secrets.get()&lt;/LI&gt;
&lt;LI&gt;Retrieve job parameters with dbutils.widgets.get()&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Databricks also supports referencing secrets in &lt;A href="https://docs.databricks.com/aws/en/security/secrets/secrets-spark-conf-env-var" rel="noopener noreferrer nofollow" target="_blank"&gt;Spark configuration properties or environment variables&lt;/A&gt; using {{secrets/scope/key}}, but this comes with additional security considerations and is usually not the first choice unless you specifically need cluster-level or init-script-based injection.&lt;/P&gt;
&lt;P class="wnfdntt _1ibi0s3f5 _1ibi0s3ce _1ibi0s3ea"&gt;A few example patterns below may help make this more concrete.&lt;/P&gt;
&lt;P class="wnfdntt _1ibi0s3f5 _1ibi0s3ce _1ibi0s3ea"&gt;For SQL Server/PostgreSQL using a JDBC Unity Catalog connection:&lt;/P&gt;
&lt;PRE class="_1ibi0s3d1" dir="auto"&gt;&lt;CODE class="language-python"&gt;connection_name = dbutils.widgets.get("connection_name")
table_name = dbutils.widgets.get("table_name")

df = (
    spark.read.format("jdbc")
    .option("databricks.connection", connection_name)
    .option("dbtable", table_name)
    .load()
)
&lt;/CODE&gt;&lt;/PRE&gt;
&lt;P class="wnfdntt _1ibi0s3f5 _1ibi0s3ce _1ibi0s3ea"&gt;This is the pattern Databricks recommends when migrating existing Spark JDBC code...move the URL and credentials into the connection object, and pass only runtime values like the connection name and table/query from the job.&lt;/P&gt;
&lt;P class="wnfdntt _1ibi0s3f5 _1ibi0s3ce _1ibi0s3ea"&gt;For Notebook parameters + Databricks secrets:&lt;/P&gt;
&lt;PRE class="_1ibi0s3d1" dir="auto"&gt;&lt;CODE class="language-python"&gt;source_system = dbutils.widgets.get("source_system")
database_name = dbutils.widgets.get("database_name")
username = dbutils.secrets.get(scope="ext-sources", key="username")
password = dbutils.secrets.get(scope="ext-sources", key="password")
&lt;/CODE&gt;&lt;/PRE&gt;
&lt;P class="wnfdntt _1ibi0s3f5 _1ibi0s3ce _1ibi0s3ea"&gt;This works well when you want the job to stay parameter-driven, but still keep credentials in a secret scope instead of the job definition.&lt;/P&gt;
&lt;P class="wnfdntt _1ibi0s3f5 _1ibi0s3ce _1ibi0s3ea"&gt;For MongoDB using the Spark connector:&lt;/P&gt;
&lt;PRE class="_1ibi0s3d1" dir="auto"&gt;&lt;CODE class="language-python"&gt;mongo_uri = dbutils.secrets.get(scope="ext-sources", key="mongodb-uri")
database_name = dbutils.widgets.get("database_name")
collection_name = dbutils.widgets.get("collection_name")

df = (
    spark.read.format("mongodb")
    .option("connection.uri", mongo_uri)
    .option("database", database_name)
    .option("collection", collection_name)
    .load()
)
&lt;/CODE&gt;&lt;/PRE&gt;
&lt;P class="wnfdntt _1ibi0s3f5 _1ibi0s3ce _1ibi0s3ea"&gt;For MongoDB, the connector-based approach is the better fit than trying to force everything through JDBC-style job parameters, especially since Databricks documents MongoDB as a third-party Spark connector use case.&lt;/P&gt;
&lt;P class="wnfdntt _1ibi0s3f5 _1ibi0s3ce _1ibi0s3ea"&gt;For SQL Server using the bundled connector directly&lt;/P&gt;
&lt;PRE class="_1ibi0s3d1" dir="auto"&gt;&lt;CODE class="language-python"&gt;df = (
    spark.read.format("sqlserver")
    .option("host", dbutils.widgets.get("host"))
    .option("user", dbutils.secrets.get(scope="ext-sources", key="sqlserver-user"))
    .option("password", dbutils.secrets.get(scope="ext-sources", key="sqlserver-password"))
    .option("database", dbutils.widgets.get("database_name"))
    .option("query", dbutils.widgets.get("source_query"))
    .load()
)
&lt;/CODE&gt;&lt;/PRE&gt;
&lt;P class="wnfdntt _1ibi0s3f5 _1ibi0s3ce _1ibi0s3ea"&gt;Databricks also documents this bundled-connector pattern for SQL Server. If you do this, the same principle applies.. as in...keep secrets in secret scopes, and use job parameters only for non-sensitive runtime inputs.&lt;/P&gt;
&lt;P class="p1"&gt;&lt;FONT size="2" color="#FF6600"&gt;&lt;STRONG&gt;&lt;I&gt;If this answer resolves your question, could you mark it as “Accept as Solution”? That helps other users quickly find the correct fix.&lt;/I&gt;&lt;/STRONG&gt;&lt;/FONT&gt;&lt;I&gt;&lt;/I&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 22 Jun 2026 10:53:11 GMT</pubDate>
      <guid>https://community.databricks.com/t5/data-engineering/how-to-store-credentials-in-databricks-and-assign-them-to-job/m-p/160083#M54856</guid>
      <dc:creator>Ashwin_DSA</dc:creator>
      <dc:date>2026-06-22T10:53:11Z</dc:date>
    </item>
    <item>
      <title>Re: How to store credentials in Databricks and assign them to job parameters</title>
      <link>https://community.databricks.com/t5/data-engineering/how-to-store-credentials-in-databricks-and-assign-them-to-job/m-p/160092#M54857</link>
      <description>&lt;P&gt;&lt;STRONG&gt;I'd think about this as a separation of concerns:&lt;/STRONG&gt;&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;&lt;P&gt;&lt;STRONG&gt;Secrets&lt;/STRONG&gt; are for sensitive values (usernames, passwords, tokens, connection URIs).&lt;/P&gt;&lt;/LI&gt;&lt;LI&gt;&lt;P&gt;&lt;STRONG&gt;Job parameters&lt;/STRONG&gt; are for runtime values (connection name, database, schema, table, query, collection, source system).&lt;/P&gt;&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;In most cases I would avoid passing credentials as job parameters entirely. Job parameters are designed for runtime configuration and can be overridden at execution time, so they shouldn't be treated as a secure credential store.&lt;/P&gt;&lt;P&gt;My usual recommendation would be:&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;SQL Server / PostgreSQL&lt;/STRONG&gt;&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;&lt;P&gt;Store credentials in a Databricks Secret Scope.&lt;/P&gt;&lt;/LI&gt;&lt;LI&gt;&lt;P&gt;If you're using Unity Catalog, consider a JDBC Unity Catalog Connection so the URL, driver, and credentials are managed centrally.&lt;/P&gt;&lt;/LI&gt;&lt;LI&gt;&lt;P&gt;Pass only non-sensitive values (connection name, table, schema, query, etc.) as job parameters.&lt;/P&gt;&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;&lt;STRONG&gt;MongoDB&lt;/STRONG&gt;&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;&lt;P&gt;Store the connection URI in a Secret Scope.&lt;/P&gt;&lt;/LI&gt;&lt;LI&gt;&lt;P&gt;Pass database and collection names as job parameters.&lt;/P&gt;&lt;/LI&gt;&lt;LI&gt;&lt;P&gt;Retrieve the secret at runtime with &lt;STRONG&gt;dbutils.secrets.get(...)&lt;/STRONG&gt;.&lt;/P&gt;&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;This gives you a clean pattern where credentials are managed once and jobs remain fully parameterized without exposing secrets in code, job definitions, or run configurations.&lt;/P&gt;&lt;P&gt;So the architecture becomes:&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Secret Scope / UC Connection&lt;/STRONG&gt; → credentials&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Job Parameters&lt;/STRONG&gt; → database, schema, table, query, collection, source system&lt;/P&gt;&lt;P&gt;That separation tends to scale much better as the number of sources and jobs grows.&lt;/P&gt;</description>
      <pubDate>Mon, 22 Jun 2026 11:09:34 GMT</pubDate>
      <guid>https://community.databricks.com/t5/data-engineering/how-to-store-credentials-in-databricks-and-assign-them-to-job/m-p/160092#M54857</guid>
      <dc:creator>Yogasathyandrun</dc:creator>
      <dc:date>2026-06-22T11:09:34Z</dc:date>
    </item>
  </channel>
</rss>

