cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

When setting up unity catalog a storage account was created with security risk

howardgagan
New Contributor

3 weeks ago

When i set up databricks unity catalog, i think it automatically set up a storage account. I'm getting recommendations from Azure that this storage account has high risk associated with it. 

howardgagan_0-1758720263881.png

The problem is this resource has a deny assignment on preventing me making any changes. Is this something that is added at creation from databricks? Is so should the high risk level recommendation be ignored?

Have anyone dealt with this situation, what the best steps to take here?

 

0 Kudos
2 REPLIES 2

nayan_wylde
Honored Contributor III

3 weeks ago

It is a recommendation. Azure advises not to use SAS keys to connect to the strorage. The recommendation is to use Managed Identity or SPN to access the storage and SPN keys to be used in keyvault. But with UC the connection is made using Azure Databricks storage connector which is similar to managed identity.

0 Kudos

szymon_dybczak
Esteemed Contributor III

3 weeks ago

Hi @howardgagan ,

Each Azure Databricks workspace has an associated Azure storage account in a managed resource group known as the workspace storage account.
This storage account includes workspace system data (job output, system settings, and logs), DBFS root etc.

Good news is that you don't need to and even you shouldn't store your data on that managed storage account. The recommendation is to use Unity Catalog with your own storage account (and here you have full control how to configure it)

You can try to improve your security risk score by enabling firewall support for this workspace storage account. You can read how to do this at below link:

Enable firewall support for your workspace storage account - Azure Databricks | Microsoft Learn

In case of preventing shared access key support  - here you need to ignore this risk assessment, because you can't change any setting within managed resource group

 

0 Kudos

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local community—sign up today to get started!

Sign Up Now
Announcements