Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
This information applies to Databricks CLI versions 0.205 and above. The Databricks CLI is in Public Preview.
Databricks CLI use is subject to the Databricks License and Databricks Privacy Notice, including any Usage Data provisions.
The secrets command group within the Databricks CLI allows you to manage secrets, secret scopes, and access permissions. Sometimes accessing data requires that you authenticate to external data sources through JDBC. Instead of directly entering your credentials into a notebook, use Databricks secrets to store your credentials and reference them in notebooks and jobs. See Secret management.
databricks secrets create-scope
Create a new secret scope.
The scope name must consist of alphanumeric characters, dashes, underscores, and periods, and may not exceed 128 characters.
databricks secrets create-scope SCOPE [flags]
Arguments
SCOPE
Scope name requested by the user. Scope names are unique.
Options
--initial-manage-principal string
The principal that is initially granted MANAGE permission to the created scope.
--json JSON
The inline JSON string or the @path to the JSON file with the request body.
--scope-backend-type ScopeBackendType
The backend type the scope will be created with. Supported values: AZURE_KEYVAULT, DATABRICKS
databricks secrets delete-acl
Delete the given ACL on the given scope.
Users must have the MANAGE permission to invoke this command. Throws RESOURCE_DOES_NOT_EXIST if no such secret scope, principal, or ACL exists. Throws PERMISSION_DENIED if the user does not have permission to make this API call.
databricks secrets delete-acl SCOPE PRINCIPAL [flags]
Arguments
SCOPE
The name of the scope to remove permissions from.
PRINCIPAL
The principal to remove an existing ACL from.
Options
--json JSON
The inline JSON string or the @path to the JSON file with the request body.
databricks secrets delete-scope
Delete a secret scope.
Throws RESOURCE_DOES_NOT_EXIST if the scope does not exist. Throws PERMISSION_DENIED if the user does not have permission to make this call.
databricks secrets delete-scope SCOPE [flags]
Arguments
SCOPE
Name of the scope to delete.
Options
--json JSON
The inline JSON string or the @path to the JSON file with the request body.
databricks secrets delete-secret
Delete the secret stored in this secret scope. You must have WRITE or MANAGE permission on the secret scope.
Throws RESOURCE_DOES_NOT_EXIST if no such secret scope or secret exists. Throws PERMISSION_DENIED if the user does not have permission to make this call.
databricks secrets delete-secret SCOPE KEY [flags]
Arguments
SCOPE
The name of the scope that contains the secret to delete.
KEY
Name of the secret to delete.
Options
--json JSON
The inline JSON string or the @path to the JSON file with the request body.
databricks secrets get-acl
Get the details about the given ACL, such as the group and permission. Users must have the MANAGE permission to invoke this API.
Throws RESOURCE_DOES_NOT_EXIST if no such secret scope exists. Throws PERMISSION_DENIED if the user does not have permission to make this call.
databricks secrets get-acl SCOPE PRINCIPAL [flags]
Arguments
SCOPE
The name of the scope to fetch ACL information from.
PRINCIPAL
The principal to fetch ACL information for.
Options
databricks secrets get-secret
Get the bytes representation of a secret value for the specified scope and key.
Users need the READ permission to make this call.
Note that the secret value returned is in bytes. The interpretation of the bytes is determined by the caller in DBUtils and the type the data is decoded into.
Throws PERMISSION_DENIED if the user does not have permission to make this API call. Throws RESOURCE_DOES_NOT_EXIST if no such secret or secret scope exists.
databricks secrets get-secret SCOPE KEY [flags]
Arguments
SCOPE
The name of the scope to fetch secret information from.
KEY
The key to fetch secret for.
Options
databricks secrets list-acls
List the ACLs for a given secret scope. Users must have the MANAGE permission to invoke this API.
Throws RESOURCE_DOES_NOT_EXIST if no such secret scope exists. Throws PERMISSION_DENIED if the user does not have permission to make this call.
databricks secrets list-acls SCOPE [flags]
Arguments
SCOPE
The name of the scope to fetch ACL information from.
Options
databricks secrets list-scopes
List all secret scopes available in the workspace.
Throws PERMISSION_DENIED if the user does not have permission to make this call.
databricks secrets list-scopes [flags]
Options
databricks secrets list-secrets
List the secret keys that are stored at this scope. This is a metadata-only operation; secret data cannot be retrieved using this command. Users need the READ permission to make this call.
The lastUpdatedTimestamp returned is in milliseconds since Epoch. Throws RESOURCE_DOES_NOT_EXIST if no such secret scope exists. Throws PERMISSION_DENIED if the user does not have permission to make this call.
databricks secrets list-secrets SCOPE [flags]
Arguments
SCOPE
The name of the scope to list secrets within.
Options
databricks secrets put-acl
Create or overwrite the Access Control List (ACL) associated with the given principal (user or group) on the specified scope point.
In general, a user or group will use the most powerful permission available to them, and permissions are ordered as follows:
MANAGEAllowed to change ACLs, and read and write to this secret scope.WRITEAllowed to read and write to this secret scope.READAllowed to read this secret scope and list what secrets are available.
Note that in general, secret values can only be read from within a command on a cluster (for example, through a notebook). There is no API to read the actual secret value material outside of a cluster. However, the user's permission will be applied based on who is executing the command, and they must have at least READ permission.
Users must have the MANAGE permission to invoke this command.
The principal is a user or group name corresponding to an existing Databricks principal to be granted or revoked access.
Throws RESOURCE_DOES_NOT_EXIST if no such secret scope exists. Throws RESOURCE_ALREADY_EXISTS if a permission for the principal already exists. Throws INVALID_PARAMETER_VALUE if the permission or principal is invalid. Throws PERMISSION_DENIED if the user does not have permission to make this call.
databricks secrets put-acl SCOPE PRINCIPAL PERMISSION [flags]
Arguments
SCOPE
The name of the scope to apply permissions to.
PRINCIPAL
The principal in which the permission is applied.
PERMISSION
The permission level applied to the principal. Supported values: MANAGE, READ, WRITE
Options
--json JSON
The inline JSON string or the @path to the JSON file with the request body.
databricks secrets put-secret
Insert a secret under the provided scope with the given name. If a secret already exists with the same name, this command overwrites the existing secret's value. The server encrypts the secret using the secret scope's encryption settings before storing it.
You must have WRITE or MANAGE permission on the secret scope. The secret key must consist of alphanumeric characters, dashes, underscores, and periods, and cannot exceed 128 characters. The maximum allowed secret value size is 128 KB. The maximum number of secrets in a given scope is 1000.
The arguments string-value or bytes-value specify the type of the secret, which will determine the value returned when the secret value is requested.
You can specify the secret value in one of three ways:
- Specify the value as a string using the
--string-valueflag. - Input the secret when prompted interactively (single-line secrets).
- Pass the secret via standard input (multi-line secrets).
databricks secrets put-secret SCOPE KEY [flags]
Arguments
SCOPE
The name of the scope to store the secret in.
KEY
The key name for the secret.
Options
--bytes-value string
If specified, value will be stored as bytes.
--json JSON
The inline JSON string or the @path to the JSON file with the request body.
--string-value string
If specified, note that the value will be stored in UTF-8 (MB4) form.
Global flags
--debug
Whether to enable debug logging.
-h or --help
Display help for the Databricks CLI or the related command group or the related command.
--log-file string
A string representing the file to write output logs to. If this flag is not specified then the default is to write output logs to stderr.
--log-format format
The log format type, text or json. The default value is text.
--log-level string
A string representing the log format level. If not specified then the log format level is disabled.
-o, --output type
The command output type, text or json. The default value is text.
-p, --profile string
The name of the profile in the ~/.databrickscfg file to use to run the command. If this flag is not specified then if it exists, the profile named DEFAULT is used.
--progress-format format
The format to display progress logs: default, append, inplace, or json
-t, --target string
If applicable, the bundle target to use