Put secret scope - databricks

Question

I'm in need of updating the secrets using the notebook rather than CLI. So I'm using APIs and everytime I fetch new access token and refresh token I want to update them in my databricks backed secret scope.

I'm using this command dbutils.secrets.put but it does not work. Throws the error

‘SecretHandler’ object has no attribute put

Do I need to activate something in dbuitls or why this is not possible from notebook?

If not this, is it possible to update secrets in KeyVault backed secret scope?

Answer 1

Databricks secret scope can only read secrets from Azure Key vault, and has only Get and List commands. Documentation - https://learn.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access?tabs=portal .

You can use Azure CLI to update secrets - https://learn.microsoft.com/en-us/azure/key-vault/general/quick-create-cli

And this answer talk about ho to use the Azure CLI with Python, so it should work on Databricks - https://stackovewrflow.com/questions/51546073/how-to-run-azure-cli-commands-using-python

Answer 2

Databricks secret scope cannot update the secrets in the Key vault. You need to update the secret in the Key vault, and databricks secret scope will read the updated secret from Key vault.

Use the Update secret REST API to update the Secret.

First you need to create an App registration and a secret in that. Give those values and tenant id in the above code. You need to assign the Key Vault Administrator role to the App registration in the Key vault IAM.

Then use the below code to get the access token for the above REST API.

#Install the msal using !pip install msal
from msal import ConfidentialClientApplication
 
clientID = "<your client id>"
clientSecret = "<Secret_value>"
scope= ["https://vault.azure.net/.default"]
tenantID = "<Tenant_id>"
authority = "https://login.microsoftonline.com/" + tenantID
 
app = ConfidentialClientApplication(clientID, clientSecret, authority=authority)
result = app.acquire_token_for_client(scopes=scope)

#Store the access token
access_token = result.get("access_token")
print(access_token)

Now, first get the secret id with its last version id using GET REST API like below. Then use build the required URL and JSON body (give the your new secret here) and send it using PUT in the notebook.

import requests,json

# api-endpoint
URL = "https://<Key_Vault_name>.vault.azure.net/secrets/<secret_name>/?api-version=7.0"

# sending get request and saving the response as response object
r = requests.get(url = URL, headers = {"Authorization":f"Bearer {access_token}"})

#Build the required post URL by getting secret latest version id
keyvault_url=r.json()['id']+'?api-version=7.4'
print("Required URL:",keyvault_url)

#Build the JSON body
data= {'value': '<Updated_secret_value>', "contentType": "","attributes": {"enabled": True},'tags': {}}
payload= json.dumps(data)

#Use put with above JSON as payload to update the secret
my_r = requests.put(keyvault_url, payload, headers={"Authorization":f"Bearer {access_token}","Content-Type":"application/json"})
print(my_r.json())

The secret will be updated with a new value, and you can see the new version id in the Key vault secret overview.