cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Machine Learning
Dive into the world of machine learning on the Databricks platform. Explore discussions on algorithms, model training, deployment, and more. Connect with ML enthusiasts and experts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Store a secret only accessible to the current user

Go to solution
dvmentalmadess
Valued Contributor

‎04-12-2022 09:13 AM

During an interactive notebook session, I want a user to be able to retrieve a secret specific to that user. I haven't decided on storage mechanisms, but I'm open to storage mechanisms that can scalably authorize access to a single user and that I can write the secret from an external service. I have looked into the following:

  • Databricks Secrets: with a limit of 100 scopes, this does not scale beyond 100 users and I work in an engineering organization with over 200 people
  • IAM credential passthrough: does not support MLFlow (my data science team uses MLFlow), and according to my reading it does not support non-admin users calling Scala (I have at least one team that requires the use of Scala)
  • Table Access Control: I could use this to create a view that is limited to results matching CURRENT_USER, but won't work for users who need to use Scala
  • Workspace object access control: it has an API I can use to write secrets, and I can limit access by user. I would prefer if I can prevent admins from reading the secret of another user, but I haven't figured out if this is possible yet.

I'm thinking workspace object access control is a good option. Can anyone tell me if admin users automatically have access to all objects in a workspace? Is there anything I may have missed that would compromise this solution? Are any of my assumptions incorrect? Are there viable alternatives I'm missing?

1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
dvmentalmadess
Valued Contributor

‎08-05-2022 11:29 AM

I ended up using Databricks Secrets as the storage mechanism after learning from my account rep that the limit is soft and we can request a higher scope limit. In this case, each user gets a dedicated scope and no other users have access.

View solution in original post

0 Kudos
3 REPLIES 3

Go to solution
Kaniz_Fatma
Community Manager
Community Manager

‎04-13-2022 11:50 AM

Hi @Mark Miller​ ,

By default, all users can create and modify workspace objects—including folders, notebooks, experiments, and models—unless an administrator enables workspace access control.

With workspace access control, individual permissions determine a user’s abilities.

This article describes how to enable workspace access control and prevent users from seeing workspace objects they do not have access to.

For information about assigning permissions and configuring workspace object access control, see Workspace object access control.

0 Kudos

Go to solution
Kaniz_Fatma
Community Manager
Community Manager

‎04-26-2022 03:50 AM

Hi @Mark Miller​ , Just a friendly follow-up. Do you still need help, or does my response help you to find the solution? Please let us know.

0 Kudos

Go to solution
dvmentalmadess
Valued Contributor

‎08-05-2022 11:29 AM

I ended up using Databricks Secrets as the storage mechanism after learning from my account rep that the limit is soft and we can request a higher scope limit. In this case, each user gets a dedicated scope and no other users have access.

0 Kudos

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements