cancel
Showing results for 
Search instead for 
Did you mean: 
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Showing results for 
Search instead for 
Did you mean: 

Security Consideration for OAUTH Secrets to use Service Principal to authenticate with Databricks

VJ3
Contributor

What are the security consideration we need to keep in mind when we want to us OAUTH Secrets to use a Service Principal to access Azure Databricks when Identity federation is disabled and workspace is not yet on boarded on to Unity Catalog?

 

Can we consider OAUTH secret similar to Personal Access Token?

 

What is time limit when OAUTH secrets expires?

 

How do we get new OAUTH secrets?

 

Can we use Azure Key Vault to store the OAUTH secrets?

 

What is the workflow we use in OAUTH for authentication? Do we use Implicit grant workflow in OAUTH?

 

Do we store secret in .databrickscfg?

 

Who has access to .databrickscfg?

 

How do we ensure that OAUTH secret is stored safely and encrypted using AES256 and higher encryption?

 

https://learn.microsoft.com/en-us/azure/databricks/dev-tools/auth/oauth-m2m

 

Regards,

 

VJ

2 REPLIES 2

VJ3
Contributor

Thank you @Retired_mod for the response. I do have follow up questions.

- What kind of encryption is used to store OAUTH secret?

-  Is there any way OAUTH can be generated by someone else who is not a manager of that SPN? We need this as a part of segregation of duty

- Can we use OAUTH secret for non M2M authentication? 

- What is the purpose of .databrickscfg file? Can we avoid using it as someone can store Secret in plain text?

- Can we create multiple OAUTH Secret for single SPN?

Rob_Lemmens
New Contributor II

Any updates on this?

Also struggling with the OAuth security considerations. Specifically with updating the OAuth Secrets.

Currently using a SP to access Databricks workspace for DevOps purposes through the Databricks CLI.

I have the SP set up to renew it's ClientSecret every 2 months and update in Azure KV. I want to do something similar with Databricks OAuth Client Secret. Now I have it manually created and copy pasted to KeyVault. But I want to periodically update the OAuath Secret due to strict security requirements.

I see some methods on how to renew your own Databricks OAuth Token. But I see no information on renewing the Oauth Secret (programatically). Or on how to prevent storing the Secret as plain text in the .databrickscfg file.

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group