cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Data Governance
Join discussions on data governance practices, compliance, and security within the Databricks Community. Exchange strategies and insights to ensure data integrity and regulatory compliance.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Total isolation of credentials

ChechuIGZ
New Contributor II

โ€Ž05-09-2024 01:44 AM

Hi!

Recently we encountered a problem with how Databricks handles secrets that does not meet our compliance.
We need total isolation of users credentials but seems like the admin role in databricks totally breaks that since a person with that role can access all secrets.

Is there a way for the users to have credentials in databricks, let's say for simplification, user and password in a way that is only accessible by the user?

2 REPLIES 2

ChechuIGZ
New Contributor II

โ€Ž05-09-2024 02:06 AM

Let me put an example to make it more clear.

We have a user, let's say Bob Rando, and he wants to store user and password in databricks secrets in order to use them later on the notebooks.
Using the CLI Bob does the following:

  1. databricks secrets create-scope bob-rando-creds
  2. databricks secrets put-secret --json '{"scope": "bob-rando-creds", "key": "username", "string_value": "bobRando"}'
  3. databricks secrets put-secret --json '{"scope": "bob-rando-creds", "key": "password", "string_value": "b0bR4ndoS3cretP4ssword"}'
  4. The he goes to the Notebooks and can access those secrets via dbutils.secrets.get method.

So far so good. The problem here is that we want complete isolation from those secrets, meaning that only the persons Bob has given access to can see tose secrets. Including the admins.
Following the example and admin can use dbutils.secrets.get to access Bob's secrets as well.

dkushari
Databricks Employee
Databricks Employee

โ€Ž05-22-2024 04:44 PM

Hi @ChechuIGZ - The value of the secret is redacted. https://docs.databricks.com/en/security/secrets/redaction.html#secret-redaction

Also remember the following -

dkushari_0-1716421430204.png

 

0 Kudos

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you wonโ€™t want to miss the chance to attend and share knowledge.

If there isnโ€™t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements