How can I get secrets from Azure Key Vault from Databricks without creating a Secret Scope?

Question

I'm trying to find a way to get secrets from KV without creating a secret scope OR Create the secret scope automatically using Databricks CLI (following https://learn.microsoft.com/en-us/azure/databricks/security/secrets/secret-scopes#--create-an-azure-key-vault-backed-secret-scope-using-the-databricks-cli)

For the second option, I'm confuse on where run those command lines.

Ideally, can Databricks CLI be used to retrieve secrets instead of creating the secret scope?

score 0 · Answer 1 · answered Dec 18 '22 at 10:35

If you want to use dbutils.secrets.get or Databricks CLI, then you need to have secret scope created. To create secret scope using CLI you need to run it from your personal computer, for example, that has Databricks CLI installed. Please note the comment that if you're creating a secret scope from Key Vault using CLI, then you need to provide AAD token, not the Databricks PAT. Simplest way to do that is to set environment variables and then use CLI:

export DATABRICKS_HOST=https://adb-....azuredatabricks.net
export DATABRICKS_TOKEN=$(az account get-access-token -o tsv 
   --query accessToken --resource 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d)
databricks secrets create-scope ...

Thanks Alex. Can I create the secret scope using CLI from a CICD pipeline? — Luiz Viola, Dec 18 '22 at 13:13
this could be problematic a bit as it requires User's AAD token, service principal is still not supported — Alex Ott, Dec 18 '22 at 16:20

How can I get secrets from Azure Key Vault from Databricks without creating a Secret Scope?

1 Answers1