Secret Access Control

By default, all users in all pricing plans can create secrets and secret scopes. Using secret access control, available with the Azure Databricks Premium Plan, you can configure fine-grained permissions for managing access control. This guide describes how to set up these controls.

Note

Access control is available only in the Azure Databricks Premium Plan. If your account has the Standard Plan, you must explicitly grant MANAGE permission to the “users” (all users) group when you create secret scopes.

Note

This topic describes how to manage secret access control using the Databricks CLI (version 0.7.1 and above). Alternatively, you can use the Secrets API.

Secret access control

Access control for secrets is managed at the secret scope level. An access control list (ACL) defines a relationship between an Azure Databricks principal (user or group), secret scope, and permission level. In general, a user will use the most powerful permission available to them (see Permission Levels).

When a secret is read via a notebook using the Secrets utilities, the user’s permission will be applied based on who is executing the command, and they must at least have READ permission.

When a scope is created, an initial MANAGE permission level ACL is applied to the scope. Subsequent access control configurations can be performed by that principal.

Permission levels

The secret access permissions are as follows:

  • MANAGE - Allowed to change ACLs, and read and write to this secret scope.
  • WRITE - Allowed to read and write to this secret scope.
  • READ - Allowed to read this secret scope and list what secrets are available.

Each permission level is a subset of the previous level’s permissions (that is, a principal with WRITE permission for a given scope can perform all actions that require READ permission).

Note

Databricks admins have MANAGE permissions to all secret scopes in the workspace.

Create a secret ACL

To create a secret ACL for a given secret scope using the Databricks CLI (version 0.7.1 and above):

databricks secrets put-acl --scope <scope-name> --principal <principal> --permission <permission>

Making a put request for a principal that already has an applied permission overwrites the existing permission level.

View secret ACLs

To view all secret ACLs for a given secret scope:

databricks secrets list-acls --scope <scope-name>

To get the secret ACL applied to a principal for a given secret scope:

databricks secrets get-acl --scope <scope-name> --principal <principal>

If no ACL exists for the given principal and scope, this request will fail.

Delete a secret ACL

To delete a secret ACL applied to a principal for a given secret scope:

databricks secrets delete-acl --scope <scope-name> --principal <principal>