Managing secrets begins with creating a secret scope. A secret scope is collection of secrets identified by a name. A workspace is limited to a maximum of 100 secret scopes.
A Databricks-backed secret scope is stored in (backed by) an encrypted database owned and managed by Databricks. The secret scope name:
- Must be unique within a workspace.
- Must consist of alphanumeric characters, dashes, underscores, and periods, and may not exceed 128 characters.
The names are considered non-sensitive and are readable by all users in the workspace.
You create a Databricks-backed secret scope using the Secrets API 2.0.
Scopes are created with permissions controlled by ACLs. By default, scopes are created with
MANAGE permission for the user who created the scope (the “creator”), which lets the creator read secrets in the scope, write secrets to the scope, and change ACLs for the scope. If your account has the Databricks Premium Plan, you can assign granular permissions at any time after you create the scope. For details, see Secret access control.
You can also override the default and explicitly grant
MANAGE permission to all users when you create the scope. In fact, you must do this if your account does not have the Databricks Premium Plan.
Secret scope names are case insensitive.
Create a Databricks-backed secret scope using the Secrets API Put secret operation.
Once you have created a Databricks-backed secret scope, you can add secrets.
You can list existing scopes using the Secrets API List secrets operation.
Delete a secret scope using the Secrets API Delete secret scope operation.