cancel
Showing results forย 
Search instead forย 
Did you mean:ย 
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Showing results forย 
Search instead forย 
Did you mean:ย 

Azure RBAC Support for Secret Scopes

RohanIyer
New Contributor II

Hi there!

I am using multiple Azure Key Vaults within our Azure Databricks workspaces, and we have set up secret scopes that are backed by these Key Vaults. Azure provides two authentication methods for accessing Key Vaults:

Access Policies, which is considered a legacy option.

Role-Based Access Control (RBAC), which is the modern, standardized approach across all Azure services.

Currently, Databricks secret scopes can only be configured with Access Policies. Given Azureโ€™s shift toward RBAC as the preferred method, is there any plan to support RBAC for managing secret scopes in the future?

1 ACCEPTED SOLUTION

Accepted Solutions

WiliamRosa
Contributor

Actually, RBAC is supported for authentication for the secret scopes.

The thing is, when you setup the secret scope, Databricks is automatically assigning permissions through access policies. With RBAC - you'll need to grant the role on your own.

As a test:

1. I've created an Azure KeyVault with "Azure role-based access control" as a permission model.
2. Navigated to https://<databricks-instance>#secrets/createScope and created a secret scope
3. In Azure KeyVault IAM, added Key Vault Secrets User to the AzureDatabricks (fa5c679a-c02e-4f33-a397-7419315171b3) Application
4. Created a test secret and tried to access that from a notebook. Tada, it works.

View in original post:
https://community.databricks.com/t5/administration-architecture/secret-scope-with-azure-rbac/m-p/871...

Wiliam Rosa
Data Engineer | Machine Learning Engineer
LinkedIn: linkedin.com/in/wiliamrosa

View solution in original post

1 REPLY 1

WiliamRosa
Contributor

Actually, RBAC is supported for authentication for the secret scopes.

The thing is, when you setup the secret scope, Databricks is automatically assigning permissions through access policies. With RBAC - you'll need to grant the role on your own.

As a test:

1. I've created an Azure KeyVault with "Azure role-based access control" as a permission model.
2. Navigated to https://<databricks-instance>#secrets/createScope and created a secret scope
3. In Azure KeyVault IAM, added Key Vault Secrets User to the AzureDatabricks (fa5c679a-c02e-4f33-a397-7419315171b3) Application
4. Created a test secret and tried to access that from a notebook. Tada, it works.

View in original post:
https://community.databricks.com/t5/administration-architecture/secret-scope-with-azure-rbac/m-p/871...

Wiliam Rosa
Data Engineer | Machine Learning Engineer
LinkedIn: linkedin.com/in/wiliamrosa