cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Data Engineering
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

"SparkSecurityException: Cannot read sensitive key" error when reading key from Spark config

Go to solution
Cassio
New Contributor II

‎02-21-2022 11:38 AM

In Databricks 10.1 it is possible to define in the "Spark Config" of the cluster something like:

spark.fernet {{secrets/myscope/encryption-key}} . In my case my scopes are tied to Azure Key Vault.

With that I can make a query as follows:

%sql
 
SELECT default.udfDecrypt('my encrypted data', "${spark.fernet}") );

However starting from Databricks version 10.2 I get the following message "Error in SQL statement: SparkSecurityException: Cannot read sensitive key 'spark.fernet' from secure provider"

I've already looked in the Databricks 10.2 change log for something that could have caused this, but I couldn't find it.

Has this functionality been completely removed or can I enable this configuration reading?

Labels:
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Ravi
Valued Contributor
Valued Contributor

‎02-21-2022 10:23 PM

@Cassio Eskelsen​  Using secret in select query with $ syntax is now blocked due to security reasons in the new DBRs(10.2+) and we will soon block it in all supported DBRs with future releases. This is the reason why we are getting the error in DBR 10.2 but not on previous DBR versions.

You can add the following Spark configuration to your cluster setting and it will disable the validation that has been added to new DBRs. This has to be added at the cluster level.

  • spark.databricks.secureVariableSubstitute.enabled false

View solution in original post

4 REPLIES 4

Go to solution
Ravi
Valued Contributor
Valued Contributor

‎02-21-2022 10:23 PM

@Cassio Eskelsen​  Using secret in select query with $ syntax is now blocked due to security reasons in the new DBRs(10.2+) and we will soon block it in all supported DBRs with future releases. This is the reason why we are getting the error in DBR 10.2 but not on previous DBR versions.

You can add the following Spark configuration to your cluster setting and it will disable the validation that has been added to new DBRs. This has to be added at the cluster level.

  • spark.databricks.secureVariableSubstitute.enabled false

Go to solution
Cassio
New Contributor II
In response to Ravi

‎02-22-2022 03:32 AM

Thanks, Ravi! That's solved my problem!😍

0 Kudos

Go to solution
Anonymous
Not applicable
In response to Cassio

‎02-22-2022 01:52 PM

Thanks for selecting the best answer @Cassio Eskelsen​ ! It's super helpful and lets us know you got what you needed! 🙌🏻

0 Kudos

Go to solution
Soma
Valued Contributor

‎07-15-2022 01:30 AM

This solution exposes the entire secret if I use

commands like below

sql("""explain select upper("${spark.fernet.email}") as data """).display()

Please dont use this

0 Kudos
Announcements
Welcome to Databricks Community: Lets learn, network and celebrate together

Join our fast-growing data practitioner and expert community of 80K+ members, ready to discover, help and collaborate together while making meaningful connections. 

Click here to register and join today! 

Engage in exciting technical discussions, join a group with your peers and meet our Featured Members.