cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Can we use "Access Connector for Azure Databricks" to access Azure Key Vault?

Go to solution
grazie
Contributor

‎12-06-2022 06:24 AM

We have a scenario where ideally we'd like to use Managed Identities to access storage but also secrets. Per now we have a setup with service principals accessing secrets through secret scopes, but we foresee a situation where we may get many service principals and the corresponding maintenance burden.

Looking at https://learn.microsoft.com/en-us/azure/databricks/data-governance/unity-catalog/azure-managed-ident... it seems that Access Connectors would be a solution for the storage access part. But can we use "Access Connector for Azure Databricks" to access Azure Key Vault?

1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
grive
New Contributor III

‎12-09-2022 05:43 AM

I have unofficial word that this is not supported, and docs don't mention it. I have the feeling that even if I got it to work it should not be trusted for now.

View solution in original post

0 Kudos
5 REPLIES 5

Go to solution
Hubert-Dudek
Esteemed Contributor III

‎12-06-2022 06:38 AM

In what place exactly do you need to access key vault secrets?

Key vault can be integrated with databricks workspace under url

https://<YOUR_WORKSPACE>.azuredatabricks.net/#secrets/createScope

or via CLI/API

0 Kudos

Go to solution
grazie
Contributor

‎12-06-2022 07:17 AM

Thanks for your response 🙂

We need to access secrets from notebooks and other tasks running interactively or in workflows.

We're actually using Azure Key Vault-backed secret scopes now, but we rely on service principals to access the keyvault through secret scope. Secret scopes are problematic, e.g. because they can't be created in a fully automated way, and access control must be managed in Databricks Secret ACLs instead of using Key Vault access control (like Azure RBAC). Service principals come with a maintenance burden for IT who needs to rotate credentials at regular intervals.

We're looking for ways to avoid having to manage service principals, and use Managed Identities instead.

0 Kudos

Go to solution
_paskal_
New Contributor III
In response to grazie

‎12-08-2022 07:08 AM

Hi Grazie,

Did you manage to get this to work?

I am trying to do the same but no luck so far. I keep getting INVALID_STATE: Databricks could not access keyvault: https://xxxx.vault.azure.net/.

Although I openen all network and assigned all Key Vault related roles I keep getting this error so I am wondering if it is supported at all...

0 Kudos

Go to solution
grive
New Contributor III

‎12-09-2022 05:43 AM

I have unofficial word that this is not supported, and docs don't mention it. I have the feeling that even if I got it to work it should not be trusted for now.

0 Kudos

Go to solution
_paskal_
New Contributor III
In response to grive

‎12-11-2022 11:34 PM

Thanks for your response, Grive.

I ended up using the default Service principal for Databricks (AzureDatabricks).

0 Kudos

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements