cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Creating an Azure-Keyvault-backed secret scope with terraform

VicS
Contributor

โ€Ž11-14-2024 05:08 AM

We want to create an Azure-Keyvault-backed secret scope with terraform - while we are able to do it via the UI with the URL https://adb-xxxxxxxx.x.azuredatabricks.net/?o=xxxxxxxxxxxxxx#secrets/createScope, I'm unable to do it with Terraform. 

 

resource "databricks_secret_scope" "this" {
  name = "my-keyvault-name"
  keyvault_metadata {
    resource_id = "/subscriptions/x/resourceGroups/x/providers/Microsoft.KeyVault/vaults/my-keyvault-name"
    dns_name    = "my-keyvault-name.vault.azure.net/"
  }
}

 

In case it's relevant: while running Terraform we authenticate with a browser-pop up with our ActiveDirectory to authenticate against and deploy the Azure ressources. 

0 Kudos
5 REPLIES 5

szymon_dybczak
Esteemed Contributor III

โ€Ž11-14-2024 05:55 AM

Could you share with us what error message you get?

VicS
Contributor
In response to szymon_dybczak

โ€Ž11-14-2024 06:22 AM

Sorry I forgot, of course - Terraform plan goes through without a problem, but during the apply phase, I get

โ”‚ Error: cannot create secret scope: Scope with Azure KeyVault must have userAADToken defined!
โ”‚
โ”‚   with databricks_secret_scope.this,
โ”‚   on main_secret_scope_and_keyvault_acl.tf line 15, in resource "databricks_secret_scope" "this":
โ”‚   15: resource "databricks_secret_scope" "this" {
โ”‚
0 Kudos

JamesMrukHughes
New Contributor II
In response to VicS

โ€Ž04-15-2025 03:50 AM - edited โ€Ž04-15-2025 03:51 AM

I'm getting the same error message when trying to use the REST API as well and have tried about every combination I could think of to get the payload correct.  I have tried AAD tokens for a user account, service principal, made those accounts full owners on the Key Vault, tried different names for the AAD Token with no success.  Anyone out there, get a working solution?

 

url = f"{databricks_instance}/api/2.0/secrets/scopes/create"

headers = {
    "Authorization": f"Bearer {token}",
    "Content-Type": "application/json"
}

payload = {
    "scope": scopeName,
    "scope_backend_type": "AZURE_KEYVAULT",
    "backend_azure_keyvault": {
        "resource_id": keyVaultResourceId,
        "dns_name": keyVaultDnsName
    },
    "user_aad_token": aadToken
}

response = requests.post(url, headers=headers, json=payload)
 
{"error_code":"INVALID_PARAMETER_VALUE","message":"Scope with Azure KeyVault must have userAADToken defined!","details":[{"@type":"type.googleapis.com/google.rpc.RequestInfo","request_id":"de4c03b9-10c1-959b-95e8-dbeabb046fa1","serving_data":""}]}
0 Kudos

ElijahFord
New Contributor II

โ€Ž04-15-2025 06:37 AM

I am having the same issue.

I am waiting for your reply and till then I will visit https://paperap.com/art-essay-writing-help/ here because I need art essay writing help and over there I found someone who will help me.
0 Kudos

J-Bradlee
New Contributor II

โ€Ž05-21-2025 11:43 PM

I am also having the same issue. I am deploying the Azure backed secrets across 3 different workspaces in my TF deployment. Strangley enough it works for 2/3 of my deployments but then I get the same error: 

Scope with Azure KeyVault must have userAADToken defined!

Screenshot 2025-05-22 at 4.38.22โ€ฏpm.png

โ€ƒ

  

0 Kudos

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local communityโ€”sign up today to get started!

Sign Up Now
Announcements