Databricks Community

VJ3 · ‎07-10-2024

What are the security consideration we need to keep in mind when we want to us OAUTH Secrets to use a Service Principal to access Azure Databricks when Identity federation is disabled and workspace is not yet on boarded on to Unity Catalog?

Can we consider OAUTH secret similar to Personal Access Token?

What is time limit when OAUTH secrets expires?

How do we get new OAUTH secrets?

Can we use Azure Key Vault to store the OAUTH secrets?

What is the workflow we use in OAUTH for authentication? Do we use Implicit grant workflow in OAUTH?

Do we store secret in .databrickscfg?

Who has access to .databrickscfg?

How do we ensure that OAUTH secret is stored safely and encrypted using AES256 and higher encryption?

https://learn.microsoft.com/en-us/azure/databricks/dev-tools/auth/oauth-m2m

Regards,

VJ

VJ3 · ‎07-15-2024

Thank you @Retired_mod for the response. I do have follow up questions.

- What kind of encryption is used to store OAUTH secret?

- Is there any way OAUTH can be generated by someone else who is not a manager of that SPN? We need this as a part of segregation of duty

- Can we use OAUTH secret for non M2M authentication?

- What is the purpose of .databrickscfg file? Can we avoid using it as someone can store Secret in plain text?

- Can we create multiple OAUTH Secret for single SPN?

Databricks Community

Security Consideration for OAUTH Secrets to use Service Principal to authenticate with Databricks

Connect with Databricks Users in Your Area

What’s New With Databricks Assistant?

Databricks Community Champion - October 2024 - Filip Niziol

Become Our Next Monthly Community Champion!

Introducing Simple, Fast, and Scalable Batch LLM Inference on Mosaic AI Model Serving

Databricks Migration Strategy: Lessons Learned