cancel
Showing results forย 
Search instead forย 
Did you mean:ย 
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Showing results forย 
Search instead forย 
Did you mean:ย 

Restricting access to secrets

jar
New Contributor II

Hi. 

I want to restrict access to secrets to a security group, as the secrets can be used to retrieve sensitive data only a few people should see. Up until now, we have been using KV-backed secret scopes, but as it's sufficient that Databricks has the (get, list) ACLs for any user to retrieve those secrets using dbutils.secrets.get(), that will not work in this case. How can we restrict access to these secrets?

Best,

Johan.

1 ACCEPTED SOLUTION

Accepted Solutions

You can define "READ" & "MANAGE".

You can set a group e.g. secret_users_group to the secret-scope and assign READ, than only the secret_users_group and MANAGE user has access. All others who are not in the group or not have rights to manage.

View solution in original post

4 REPLIES 4

h_h_ak
Contributor

Hi Johan, 

this should work for restriction: 

h_h_ak_0-1730187189796.png

https://learn.microsoft.com/en-us/azure/databricks/security/secrets/secrets.

Fine granulat access based on secrets is currently not possible.

BR

 

jar
New Contributor II

There isn't a "no permission" ACL as far as I am aware - the lowest is "read" which means any user will still be able to read the secrets.

You can define "READ" & "MANAGE".

You can set a group e.g. secret_users_group to the secret-scope and assign READ, than only the secret_users_group and MANAGE user has access. All others who are not in the group or not have rights to manage.

jar
New Contributor II

Brilliant, thank you! ๐Ÿ™‚

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you wonโ€™t want to miss the chance to attend and share knowledge.

If there isnโ€™t a group near you, start one and help create a community that brings people together.

Request a New Group