cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Data Engineering
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Can we use "Access Connector for Azure Databricks" to access Azure Key Vault?

Go to solution
grazie
Contributor

‎12-06-2022 06:24 AM

We have a scenario where ideally we'd like to use Managed Identities to access storage but also secrets. Per now we have a setup with service principals accessing secrets through secret scopes, but we foresee a situation where we may get many service principals and the corresponding maintenance burden.

Looking at https://learn.microsoft.com/en-us/azure/databricks/data-governance/unity-catalog/azure-managed-ident... it seems that Access Connectors would be a solution for the storage access part. But can we use "Access Connector for Azure Databricks" to access Azure Key Vault?

1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
grive
New Contributor III

‎12-09-2022 05:43 AM

I have unofficial word that this is not supported, and docs don't mention it. I have the feeling that even if I got it to work it should not be trusted for now.

View solution in original post

0 Kudos
5 REPLIES 5

Go to solution
Hubert-Dudek
Esteemed Contributor III

‎12-06-2022 06:38 AM

In what place exactly do you need to access key vault secrets?

Key vault can be integrated with databricks workspace under url

https://<YOUR_WORKSPACE>.azuredatabricks.net/#secrets/createScope

or via CLI/API

0 Kudos

Go to solution
grazie
Contributor

‎12-06-2022 07:17 AM

Thanks for your response 🙂

We need to access secrets from notebooks and other tasks running interactively or in workflows.

We're actually using Azure Key Vault-backed secret scopes now, but we rely on service principals to access the keyvault through secret scope. Secret scopes are problematic, e.g. because they can't be created in a fully automated way, and access control must be managed in Databricks Secret ACLs instead of using Key Vault access control (like Azure RBAC). Service principals come with a maintenance burden for IT who needs to rotate credentials at regular intervals.

We're looking for ways to avoid having to manage service principals, and use Managed Identities instead.

0 Kudos

Go to solution
_paskal_
New Contributor II
In response to grazie

‎12-08-2022 07:08 AM

Hi Grazie,

Did you manage to get this to work?

I am trying to do the same but no luck so far. I keep getting INVALID_STATE: Databricks could not access keyvault: https://xxxx.vault.azure.net/.

Although I openen all network and assigned all Key Vault related roles I keep getting this error so I am wondering if it is supported at all...

0 Kudos

Go to solution
grive
New Contributor III

‎12-09-2022 05:43 AM

I have unofficial word that this is not supported, and docs don't mention it. I have the feeling that even if I got it to work it should not be trusted for now.

0 Kudos

Go to solution
_paskal_
New Contributor II
In response to grive

‎12-11-2022 11:34 PM

Thanks for your response, Grive.

I ended up using the default Service principal for Databricks (AzureDatabricks).

0 Kudos
Announcements
Welcome to Databricks Community: Lets learn, network and celebrate together

Join our fast-growing data practitioner and expert community of 80K+ members, ready to discover, help and collaborate together while making meaningful connections. 

Click here to register and join today! 

Engage in exciting technical discussions, join a group with your peers and meet our Featured Members.