cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Help
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Creating an Azure-Keyvault-backed secret scope with terraform

VicS
New Contributor III

‎11-14-2024 05:08 AM

We want to create an Azure-Keyvault-backed secret scope with terraform - while we are able to do it via the UI with the URL https://adb-xxxxxxxx.x.azuredatabricks.net/?o=xxxxxxxxxxxxxx#secrets/createScope, I'm unable to do it with Terraform. 

 

resource "databricks_secret_scope" "this" {
  name = "my-keyvault-name"
  keyvault_metadata {
    resource_id = "/subscriptions/x/resourceGroups/x/providers/Microsoft.KeyVault/vaults/my-keyvault-name"
    dns_name    = "my-keyvault-name.vault.azure.net/"
  }
}

 

In case it's relevant: while running Terraform we authenticate with a browser-pop up with our ActiveDirectory to authenticate against and deploy the Azure ressources. 

0 Kudos
4 REPLIES 4

szymon_dybczak
Esteemed Contributor III

‎11-14-2024 05:55 AM

Could you share with us what error message you get?

VicS
New Contributor III
In response to szymon_dybczak

‎11-14-2024 06:22 AM

Sorry I forgot, of course - Terraform plan goes through without a problem, but during the apply phase, I get

│ Error: cannot create secret scope: Scope with Azure KeyVault must have userAADToken defined!
│
│   with databricks_secret_scope.this,
│   on main_secret_scope_and_keyvault_acl.tf line 15, in resource "databricks_secret_scope" "this":
│   15: resource "databricks_secret_scope" "this" {
│
0 Kudos

JamesMrukHughes
New Contributor II
In response to VicS

a week ago - last edited a week ago

I'm getting the same error message when trying to use the REST API as well and have tried about every combination I could think of to get the payload correct.  I have tried AAD tokens for a user account, service principal, made those accounts full owners on the Key Vault, tried different names for the AAD Token with no success.  Anyone out there, get a working solution?

 

url = f"{databricks_instance}/api/2.0/secrets/scopes/create"

headers = {
    "Authorization": f"Bearer {token}",
    "Content-Type": "application/json"
}

payload = {
    "scope": scopeName,
    "scope_backend_type": "AZURE_KEYVAULT",
    "backend_azure_keyvault": {
        "resource_id": keyVaultResourceId,
        "dns_name": keyVaultDnsName
    },
    "user_aad_token": aadToken
}

response = requests.post(url, headers=headers, json=payload)
 
{"error_code":"INVALID_PARAMETER_VALUE","message":"Scope with Azure KeyVault must have userAADToken defined!","details":[{"@type":"type.googleapis.com/google.rpc.RequestInfo","request_id":"de4c03b9-10c1-959b-95e8-dbeabb046fa1","serving_data":""}]}
0 Kudos

ElijahFord
New Contributor II

a week ago

I am having the same issue.

0 Kudos

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local community—sign up today to get started!

Sign Up Now
Announcements
Top