cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
Help
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

I/F security about using medallion architecture

Go to solution
ShanQiwei
New Contributor II

ā€Ž11-17-2025 08:56 PM

Iā€™m new to writing requirement definitions, and Iā€™d like to ask a question about interface (I/F) security.

My question is:
Do I need to define the authentication and security mechanisms (such as OAuth2, Managed Identity, Service Principals, etc.) between the systems shown below? Or do I also need to define security between the bronze, silver, and gold layers within the lakehouse?

Our data pipeline is:
VPC on AWS (client system) ā†’ S3 ā†’ Lakehouse (bronze ā†’ silver ā†’ gold) ā†’ Serverless compute

0 Kudos
2 ACCEPTED SOLUTIONS

Accepted Solutions

Go to solution
ManojkMohan
Honored Contributor II

ā€Ž11-18-2025 02:40 AM

@ShanQiwei 

Interface or LayerShould You Define Security?Typical MechanismsReference Links
VPC ā†’ S3YesIAM roles, service accounts, credentials, policieshttps://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html
S3 ā†’ LakehouseYesService principals, managed identities, access keyshttps://docs.databricks.com/security/access-control/service-principals.html
Lakehouse Bronze ā†’ Silver ā†’ GoldSometimes (Context-Driven)Platform roles, catalog permissions, ACLs, data maskinghttps://docs.databricks.com/data-governance/unity-catalog/index.html
Lakehouse ā†’ Serverless ComputeYesManaged identities, OAuth2, tokens, ACLshttps://learn.microsoft.com/en-us/azure/architecture/serverless/security-serverless-applications

View solution in original post

Go to solution
Coffee77
Contributor III

ā€Ž11-18-2025 02:53 AM

I'll try to summarize and go directly to the key points as I see this:

- Client to S3 šŸ‘‰ SAS Token or OAUTH 2.0 with Service to Service authentication (preferred)

- Databricks to S3 šŸ‘‰ Use Service Principal or Managed Identities (preferred)

- Bronze/Silver/Gold šŸ‘‰ Create different catalogs per layer or different schemas/databases per catalog to place bronze, silver and gold layers. All of them under Unity Catalog governance. Then, you can set proper permissions for users, groups or service principals depending on layer they should be allowed to interact with.

- Serverless cluster šŸ‘‰ You can set in "permissions" who can access and how. Establish as needed.


Lifelong Solution Architect Learner | Coffee & Data

View solution in original post

2 REPLIES 2

Go to solution
ManojkMohan
Honored Contributor II

ā€Ž11-18-2025 02:40 AM

@ShanQiwei 

Interface or LayerShould You Define Security?Typical MechanismsReference Links
VPC ā†’ S3YesIAM roles, service accounts, credentials, policieshttps://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html
S3 ā†’ LakehouseYesService principals, managed identities, access keyshttps://docs.databricks.com/security/access-control/service-principals.html
Lakehouse Bronze ā†’ Silver ā†’ GoldSometimes (Context-Driven)Platform roles, catalog permissions, ACLs, data maskinghttps://docs.databricks.com/data-governance/unity-catalog/index.html
Lakehouse ā†’ Serverless ComputeYesManaged identities, OAuth2, tokens, ACLshttps://learn.microsoft.com/en-us/azure/architecture/serverless/security-serverless-applications

Go to solution
Coffee77
Contributor III

ā€Ž11-18-2025 02:53 AM

I'll try to summarize and go directly to the key points as I see this:

- Client to S3 šŸ‘‰ SAS Token or OAUTH 2.0 with Service to Service authentication (preferred)

- Databricks to S3 šŸ‘‰ Use Service Principal or Managed Identities (preferred)

- Bronze/Silver/Gold šŸ‘‰ Create different catalogs per layer or different schemas/databases per catalog to place bronze, silver and gold layers. All of them under Unity Catalog governance. Then, you can set proper permissions for users, groups or service principals depending on layer they should be allowed to interact with.

- Serverless cluster šŸ‘‰ You can set in "permissions" who can access and how. Establish as needed.


Lifelong Solution Architect Learner | Coffee & Data
Announcements