cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Data Governance
Join discussions on data governance practices, compliance, and security within the Databricks Community. Exchange strategies and insights to ensure data integrity and regulatory compliance.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Total isolation of credentials

ChechuIGZ
New Contributor II

โ€Ž05-09-2024 01:44 AM

Hi!

Recently we encountered a problem with how Databricks handles secrets that does not meet our compliance.
We need total isolation of users credentials but seems like the admin role in databricks totally breaks that since a person with that role can access all secrets.

Is there a way for the users to have credentials in databricks, let's say for simplification, user and password in a way that is only accessible by the user?

2 REPLIES 2

ChechuIGZ
New Contributor II

โ€Ž05-09-2024 02:06 AM

Let me put an example to make it more clear.

We have a user, let's say Bob Rando, and he wants to store user and password in databricks secrets in order to use them later on the notebooks.
Using the CLI Bob does the following:

  1. databricks secrets create-scope bob-rando-creds
  2. databricks secrets put-secret --json '{"scope": "bob-rando-creds", "key": "username", "string_value": "bobRando"}'
  3. databricks secrets put-secret --json '{"scope": "bob-rando-creds", "key": "password", "string_value": "b0bR4ndoS3cretP4ssword"}'
  4. The he goes to the Notebooks and can access those secrets via dbutils.secrets.get method.

So far so good. The problem here is that we want complete isolation from those secrets, meaning that only the persons Bob has given access to can see tose secrets. Including the admins.
Following the example and admin can use dbutils.secrets.get to access Bob's secrets as well.

dkushari
New Contributor III
New Contributor III

โ€Ž05-22-2024 04:44 PM

Hi @ChechuIGZ - The value of the secret is redacted. https://docs.databricks.com/en/security/secrets/redaction.html#secret-redaction

Also remember the following -

dkushari_0-1716421430204.png

 

0 Kudos
Join 100K+ Data Experts: Register Now & Grow with Us!

Excited to expand your horizons with us? Click here to Register and begin your journey to success!

Already a member? Login and join your local regional user group! If there isn’t one near you, fill out this form and we’ll create one for you to join!

Announcements