Secrets

A secret is a key-value pair that stores secret material, with a key name unique within a secret scope. Each scope is limited to 1000 secrets. The maximum allowed secret value size is 128 KB.

Create a secret

The method for creating a secret depends on whether you are using an Azure Key Vault-backed scope or a Databricks-backed scope.

Create a secret in an Azure Key Vault-backed scope

To create a secret in Azure Key Vault you use the Azure SetSecret REST API or Azure portal UI.

../../_images/azure-kv-secrets.png

Create a secret in a Databricks-backed scope

To create a secret in a Databricks-backed scope using the Databricks CLI (version 0.7.1 and above):

databricks secrets put --scope <scope-name> --key <key-name>

An editor opens and displays content like this:

# ----------------------------------------------------------------------
# Do not edit the above line. Everything below it will be ignored.
# Please input your secret value above the line. Text will be stored in
# UTF-8 (MB4) form and any trailing new line will be stripped.
# Exit without saving will abort writing secret.

Paste your secret value above the line and save and exit the editor. Your input is stripped of the comments and stored associated with the key in the scope.

If you issue a write request with a key that already exists, the new value overwrites the existing value.

You can also provide a secret from a file or from the command line. For more information about writing secrets, see Secrets CLI.

List secrets

To list secrets in a given scope:

databricks secrets list --scope <scope-name>

The response displays metadata information about the secret, such as the secret key name and last updated at timestamp (in milliseconds since epoch). You use the Secrets utilities in a notebook or job to read a secret. For example:

databricks secrets list --scope jdbc
Key name    Last updated
----------  --------------
password    1531968449039
username    1531968408097

Read a secret

Note

DBUtils secret utilities are available only on clusters running Databricks Runtime 4.0 and above.

You create secrets using the REST API or CLI, but you must use the Secrets utilities in a notebook or job to read a secret.

Delete a secret

To delete a secret from a scope backed by Azure Key Vault, use the Azure SetSecret REST API or Azure portal UI.