Databricks Community

jar · Tuesday

Hi.

I want to restrict access to secrets to a security group, as the secrets can be used to retrieve sensitive data only a few people should see. Up until now, we have been using KV-backed secret scopes, but as it's sufficient that Databricks has the (get, list) ACLs for any user to retrieve those secrets using dbutils.secrets.get(), that will not work in this case. How can we restrict access to these secrets?

Best,

Johan.

h_h_ak · Tuesday

You can define "READ" & "MANAGE".

You can set a group e.g. secret_users_group to the secret-scope and assign READ, than only the secret_users_group and MANAGE user has access. All others who are not in the group or not have rights to manage.

View solution in original post

h_h_ak · Tuesday

Hi Johan,

this should work for restriction:

https://learn.microsoft.com/en-us/azure/databricks/security/secrets/secrets.

Fine granulat access based on secrets is currently not possible.

BR

jar · Tuesday

There isn't a "no permission" ACL as far as I am aware - the lowest is "read" which means any user will still be able to read the secrets.

h_h_ak · Tuesday

You can define "READ" & "MANAGE".

You can set a group e.g. secret_users_group to the secret-scope and assign READ, than only the secret_users_group and MANAGE user has access. All others who are not in the group or not have rights to manage.