Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Creating a Secret Scope in Databricks backed by Azure Key Vault fails

Tags:

azure

azure-keyvault

azure-databricks

You can create scopes in Databricks backed by Azure Keyvault instead of using the Databricks CLI. However, when you try to create a Scope, an obscure error message (with a spelling mistake!) is shown. It appears as not many people encounter this error:

"Internal error happened while granting read/list permission to Databricks ervice principal to KeyVault: XYZ"

Setting the Manage Principal to All Users does NOT help in this case.

enter image description here

like image 867
Rodney Avatar asked Jun 11 '19 05:06

Rodney

People also ask

How do you create Azure Databricks secret scope?

These properties are available from the Properties tab of an Azure Key Vault in your Azure portal. Click the Create button. Use the Databricks CLI databricks secrets list-scopes command to verify that the scope was created successfully.

Can I use Azure key vault to store keys secrets to be used in Azure Databricks?

To refer and access Secrets, users can create a Secret Scope backed by the Azure Key Vault. It allows users to leverage all the Secrets in the corresponding Key Vault instance from a particular Secret Scope. However, this Azure Key Vault-Backed Scope is only supported for the Azure Databricks Premium plan.

What is Databricks secret scope name?

A Databricks-backed secret scope is stored in (backed by) an encrypted database owned and managed by Databricks. The secret scope name: Must be unique within a workspace. Must consist of alphanumeric characters, dashes, underscores, @ , and periods, and may not exceed 128 characters.

1 Answers

I figured that this was a Service Principal issue in Azure AD. This particular user I was logged on to Databricks with was not an AD contributer and only had Contributer role on the Databricks and Keyvault service. I could not find any default Object ID in AD for Databricks so I assumed it was creating a service principal on the fly and connecting Databricks with Keyvault (I might be wrong here - it might already exist in AD when you enable the Databricks resource provider).

Logging in as an Admin with the rights to create service principals solved the problem. After that you can see in the Key Vault the DB service principal used in for the key retrieval:

enter image description here

like image 63
Rodney Avatar answered Sep 29 '22 08:09

Rodney
Sign in to Comment

Related questions

AuthenticationContext does not contain the definition AcquireToken?
Howto add Azure AD as AWS Cognito Federated IdP
Azure Logic Apps not able to establish a connection
How to turn on/off Azure virtual machine via Azure management api (rest)
Azure AD Claims mapping requires custom signing key
How to configure a manually provisioned Azure Managed Disk to use as a Kubernetes persistent volume?
Is it Possible to Debug Azure Functions Locally with Azure Active Directory Authentication?
Azure metric graph legend
Only Fan-out (and forget) in Durable Functions
Create filtered Service Bus subscription using .NET Core SDKs
How get Azure Function URL directly by code in Azure Function Apps?
Securing sensitive information in Azure Cloud Service Configuration
How to read files with .xlsx and .xls extension in Azure data factory?
Azure Function Docker not working with http trigger
Azure Search Does Not Remove Data After Indexer RUN
EventHubTriggerAttribute does not exists in namespace 'Microsoft.Azure.WebJobs'
Azure AD B2C Password Reset
Azure Function failing to initialise Serilog Sink when using appsettings.json
Azure sharepoint multi-factor authentication with python
How to use filter with az ad app to do a bulk delete

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!