cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Restricting access to secrets

Go to solution
jar
New Contributor III

โ€Ž10-29-2024 12:14 AM

Hi. 

I want to restrict access to secrets to a security group, as the secrets can be used to retrieve sensitive data only a few people should see. Up until now, we have been using KV-backed secret scopes, but as it's sufficient that Databricks has the (get, list) ACLs for any user to retrieve those secrets using dbutils.secrets.get(), that will not work in this case. How can we restrict access to these secrets?

Best,

Johan.

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
h_h_ak
Contributor
In response to jar

โ€Ž10-29-2024 01:42 AM

You can define "READ" & "MANAGE".

You can set a group e.g. secret_users_group to the secret-scope and assign READ, than only the secret_users_group and MANAGE user has access. All others who are not in the group or not have rights to manage.

View solution in original post

4 REPLIES 4

Go to solution
h_h_ak
Contributor

โ€Ž10-29-2024 12:34 AM

Hi Johan, 

this should work for restriction: 

h_h_ak_0-1730187189796.png

https://learn.microsoft.com/en-us/azure/databricks/security/secrets/secrets.

Fine granulat access based on secrets is currently not possible.

BR

 

0 Kudos

Go to solution
jar
New Contributor III
In response to h_h_ak

โ€Ž10-29-2024 01:23 AM

There isn't a "no permission" ACL as far as I am aware - the lowest is "read" which means any user will still be able to read the secrets.

0 Kudos

Go to solution
h_h_ak
Contributor
In response to jar

โ€Ž10-29-2024 01:42 AM

You can define "READ" & "MANAGE".

You can set a group e.g. secret_users_group to the secret-scope and assign READ, than only the secret_users_group and MANAGE user has access. All others who are not in the group or not have rights to manage.

Go to solution
jar
New Contributor III
In response to h_h_ak

โ€Ž10-29-2024 08:14 PM

Brilliant, thank you! ๐Ÿ™‚

0 Kudos

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you wonโ€™t want to miss the chance to attend and share knowledge.

If there isnโ€™t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements