Databricks Community

jar · ‎10-29-2024

Hi.

I want to restrict access to secrets to a security group, as the secrets can be used to retrieve sensitive data only a few people should see. Up until now, we have been using KV-backed secret scopes, but as it's sufficient that Databricks has the (get, list) ACLs for any user to retrieve those secrets using dbutils.secrets.get(), that will not work in this case. How can we restrict access to these secrets?

Best,

Johan.

h_h_ak · ‎10-29-2024

You can define "READ" & "MANAGE".

You can set a group e.g. secret_users_group to the secret-scope and assign READ, than only the secret_users_group and MANAGE user has access. All others who are not in the group or not have rights to manage.

View solution in original post

h_h_ak · ‎10-29-2024

Hi Johan,

this should work for restriction:

https://learn.microsoft.com/en-us/azure/databricks/security/secrets/secrets.

Fine granulat access based on secrets is currently not possible.

BR

jar · ‎10-29-2024

There isn't a "no permission" ACL as far as I am aware - the lowest is "read" which means any user will still be able to read the secrets.

h_h_ak · ‎10-29-2024

You can define "READ" & "MANAGE".

You can set a group e.g. secret_users_group to the secret-scope and assign READ, than only the secret_users_group and MANAGE user has access. All others who are not in the group or not have rights to manage.