cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Not able to connect to GCP Secret Manager except when using "No isolation shared" Cluster

yumnus
New Contributor III

โ€Ž01-28-2025 10:56 PM

Hey everyone,

Weโ€™re trying to access secrets stored in GCP Secret Manager using its Python package from Databricks on GCP. However, we can only reach the Secret Manager when using "No Isolation Shared" clusters, which is not an option for us. Currently, we havenโ€™t found any alternative solutions.

Has anyone encountered this issue or found a workaround?

The error message indicates that Googleโ€™s metadata server is unreachable.

Thanks in advance!

Best regards

0 Kudos
3 REPLIES 3

Alberto_Umana
Databricks Employee
Databricks Employee

โ€Ž01-29-2025 05:39 AM

Hello @yumnus,

Could you please share the full error trace? what is the package you are installing?

One suggestion, instead of relying on the metadata server, you can use a service account key file to authenticate with GCP Secret Manager. You can store the service account key as a Databricks secret and then use it in your code to authenticate. Hereโ€™s a general approach:

  • Create a service account in GCP and download the JSON key file.
  • Store the key file content as a secret in Databricks using the Databricks CLI or the Secrets API.
  • Use the secret in your code to authenticate with GCP Secret Manager.
0 Kudos

yumnus
New Contributor III
In response to Alberto_Umana

โ€Ž01-29-2025 06:28 AM

Hi Alberto,

When we use No Isolation Shared Clusters it works, else:

the error messages:

WARNING:google.auth.compute_engine._metadata:Compute Engine Metadata server unavailable on attempt 1 of 3. Reason: [Errno 111] Connection refused

WARNING:google.auth._default:No project ID could be determined. Consider running `gcloud config set project` or setting the GOOGLE_CLOUD_PROJECT environment variable

WARNING:google.auth.compute_engine._metadata:Compute Engine Metadata server unavailable on attempt 1 of 5. Reason: HTTPConnectionPool(host='metadata.google.internal', port=80): Max retries exceeded with url: /computeMetadata/v1/instance/service-accounts/default/?recursive=true (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7931121fe650>: Failed to establish a new connection: [Errno 111] Connection refused'))

google.auth.exceptions.TransportError: Failed to retrieve http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/?recursive=true from the Google Compute Engine metadata service. Compute Engine Metadata server unavailable

 

Thank you!

0 Kudos

yumnus
New Contributor III
In response to Alberto_Umana

โ€Ž01-29-2025 06:41 AM

Also the package google_cloud_secret_manager-2.22.0

0 Kudos

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you wonโ€™t want to miss the chance to attend and share knowledge.

If there isnโ€™t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements