Secret Redaction

Storing credentials as Azure Databricks secrets makes it easy to protect your credentials when you run notebooks and jobs. However, it is easy to accidentally print a secret to standard output buffers or display the value during variable assignment.

To prevent this, Azure Databricks redacts secret values that are read using dbutils.secrets.get() and displayed in notebook cell output, replacing them with [REDACTED].

Warning

Secret redaction for notebook cell output applies only to literals. The secret redaction functionality therefore does not prevent deliberate and arbitrary transformations of a secret literal, such as printing a secret character by character:

%python
username = dbutils.secrets.get(scope = "jdbc", key = "username")
for c in username:
  print(c)

To ensure the proper control of secrets, you should use Workspace Access Control (limiting permission to run commands) to prevent unauthorized access to shared notebook contexts.