topic Re: Total isolation of credentials in Data Governance

Total isolation of credentials

ChechuIGZ — Thu, 09 May 2024 08:44:36 GMT

Hi!

Recently we encountered a problem with how Databricks handles secrets that does not meet our compliance.
We need total isolation of users credentials but seems like the admin role in databricks totally breaks that since a person with that role can access all secrets.

Is there a way for the users to have credentials in databricks, let's say for simplification, user and password in a way that is only accessible by the user?

Re: Total isolation of credentials

ChechuIGZ — Thu, 09 May 2024 09:06:34 GMT

Let me put an example to make it more clear.

We have a user, let's say Bob Rando, and he wants to store user and password in databricks secrets in order to use them later on the notebooks.
Using the CLI Bob does the following:

databricks secrets create-scope bob-rando-creds
databricks secrets put-secret --json '{"scope": "bob-rando-creds", "key": "username", "string_value": "bobRando"}'
databricks secrets put-secret --json '{"scope": "bob-rando-creds", "key": "password", "string_value": "b0bR4ndoS3cretP4ssword"}'
The he goes to the Notebooks and can access those secrets via dbutils.secrets.get method.

So far so good. The problem here is that we want complete isolation from those secrets, meaning that only the persons Bob has given access to can see tose secrets. Including the admins.
Following the example and admin can use dbutils.secrets.get to access Bob's secrets as well.

Re: Total isolation of credentials

dkushari — Wed, 22 May 2024 23:44:03 GMT

Hi @ChechuIGZ - The value of the secret is redacted. https://docs.databricks.com/en/security/secrets/redaction.html#secret-redaction.

Also remember the following -