cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Security Consideration for OAUTH Secrets to use Service Principal to authenticate with Databricks

VJ3
Contributor

‎07-10-2024 05:06 PM

What are the security consideration we need to keep in mind when we want to us OAUTH Secrets to use a Service Principal to access Azure Databricks when Identity federation is disabled and workspace is not yet on boarded on to Unity Catalog?

 

Can we consider OAUTH secret similar to Personal Access Token?

 

What is time limit when OAUTH secrets expires?

 

How do we get new OAUTH secrets?

 

Can we use Azure Key Vault to store the OAUTH secrets?

 

What is the workflow we use in OAUTH for authentication? Do we use Implicit grant workflow in OAUTH?

 

Do we store secret in .databrickscfg?

 

Who has access to .databrickscfg?

 

How do we ensure that OAUTH secret is stored safely and encrypted using AES256 and higher encryption?

 

https://learn.microsoft.com/en-us/azure/databricks/dev-tools/auth/oauth-m2m

 

Regards,

 

VJ

2 REPLIES 2

VJ3
Contributor

‎07-15-2024 05:43 AM

Thank you @Retired_mod for the response. I do have follow up questions.

- What kind of encryption is used to store OAUTH secret?

-  Is there any way OAUTH can be generated by someone else who is not a manager of that SPN? We need this as a part of segregation of duty

- Can we use OAUTH secret for non M2M authentication? 

- What is the purpose of .databrickscfg file? Can we avoid using it as someone can store Secret in plain text?

- Can we create multiple OAUTH Secret for single SPN?

0 Kudos

Rob_Lemmens
New Contributor III

‎12-17-2024 05:21 AM - edited ‎12-17-2024 05:28 AM

Any updates on this?

Also struggling with the OAuth security considerations. Specifically with updating the OAuth Secrets.

Currently using a SP to access Databricks workspace for DevOps purposes through the Databricks CLI.

I have the SP set up to renew it's ClientSecret every 2 months and update in Azure KV. I want to do something similar with Databricks OAuth Client Secret. Now I have it manually created and copy pasted to KeyVault. But I want to periodically update the OAuath Secret due to strict security requirements.

I see some methods on how to renew your own Databricks OAuth Token. But I see no information on renewing the Oauth Secret (programatically). Or on how to prevent storing the Secret as plain text in the .databrickscfg file.

0 Kudos

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local community—sign up today to get started!

Sign Up Now
Announcements
Top