Adding Secrets to your KeyVault
Problem
Your program needs to access passwords or other sensative information to function.
Solution
Storing these in plain text is a vulnerability as others who can see the source code or notebooks would be able to steal or misuse the information.
So we will upload it to a Secret Vault where it can be accessed safely.
Getting the CLI
https://docs.databricks.com/en/dev-tools/cli/install.html is the master source
For Mac/Linux open your terminal and run the below commands
brew tap databricks/tap
brew install databricksIn Windows (with Winget installed) run the below commands
winget search databricks
winget install Databricks.DatabricksCLIIn either case test with
databricks -vTo get the version number. If a version number appears, you’ve successfully installed databricks CLI!
Connecting to Databricks
Databricks CLI requires a token to connect to our instance.
To reach your token,
- Open a databricks window in your browser
- Go to User Settings in the top right
- Select Developer
- Select Manage Access Tokens
- Generate new Token
- Copy the token
Setup your connection with the command
databricks configureThis will ask you for a host and a token. The full host is https://adb-7423990253170059.19.azuredatabricks.net but check to see if the “https://” has been included for you.
Then paste your token in below, * will appear for each character, and hit enter.
You are now configured to use Databricks for the next 90 days.
Submitting Key to Store
You should have been given a KeyVault to put your keys inside. This will be the <Scope> you target your cli with. Just type it in, nothing extra.
databricks secrets put-secret <Scope> <KeyName>Then the next line will appear with a green checkmarx, with the name of the key and a slot for a value. Type or paste in the value exactly. Only * will appear, this is to obfuscate your password.
Hit enter when done and that line will vanish.
Congratulations you’ve added your key to the keyvault!
Testing your Key
databricks secrets get-secret KyleTestScope testKeyThis will return a json with your key/value pair.
The value will be returned as a hash, so no need to fear exposing it.
Success here means that your key is also accessible within Databricks Notebooks with the python method
value = dbutils.secrets.get("KyleTestScope", "testKey")Updating a Key
databricks secrets put-secret <Scope> <KeyName>This will open a dialogue where you can type in a replacement secret.
Creating a Key Store (admin only)
databricks secrets create-scope KyleTestScope
Available Secret Subcommands
| Subcommand | Description |
|---|---|
| create-scope | Create a new secret scope. |
| delete-acl | Delete an ACL. |
| delete-scope | Delete a secret scope. |
| delete-secret | Delete a secret. |
| get-acl | Get secret ACL details. |
| get-secret | Get a secret. |
| list-acls | Lists ACLs. |
| list-scopes | List all scopes. |
| list-secrets | List secret keys. |
| put-acl | Create/update an ACL. |
| put-secret | Add a secret. |