secret.md

subcategory	Security

databricks_secret Resource

With this resource you can insert a secret under the provided scope with the given name. If a secret already exists with the same name, this command overwrites the existing secret's value. The server encrypts the secret using the secret scope's encryption settings before storing it. You must have WRITE or MANAGE permission on the secret scope. The secret key must consist of alphanumeric characters, dashes, underscores, and periods, and cannot exceed 128 characters. The maximum allowed secret value size is 128 KB. The maximum number of secrets in a given scope is 1000. You can read a secret value only from within a command on a cluster (for example, through a notebook); there is no API to read a secret value outside of a cluster. The permission applied is based on who is invoking the command and you must have at least READ permission. Please consult Secrets User Guide for more details.

-> This resource can only be used with a workspace-level provider!

Example Usage

resource "databricks_secret_scope" "app" {
  name = "application-secret-scope"
}

resource "databricks_secret" "publishing_api" {
  key          = "publishing_api"
  string_value = data.azurerm_key_vault_secret.example.value
  scope        = databricks_secret_scope.app.id
}

resource "databricks_cluster" "this" {
  # ...
  spark_conf = {
    # ...
    "fs.azure.account.oauth2.client.secret" = databricks_secret.publishing_api.config_reference
  }
}

Argument Reference

The following arguments are required:

• string_value - (Required) (String) super secret sensitive value.
• scope - (Required) (String) name of databricks secret scope. Must consist of alphanumeric characters, dashes, underscores, and periods, and may not exceed 128 characters.
• key - (Required) (String) key within secret scope. Must consist of alphanumeric characters, dashes, underscores, and periods, and may not exceed 128 characters.
• provider_config - (Optional) Configure the provider for management through account provider. This block consists of the following fields:
  • workspace_id - (Required) Workspace ID which the resource belongs to. This workspace must be part of the account which the provider is configured with.

Attribute Reference

In addition to all arguments above, the following attributes are exported:

• id - Canonical unique identifier for the secret.
• last_updated_timestamp - (Integer) time secret was updated
• config_reference - (String) value to use as a secret reference in Spark configuration and environment variables: {{secrets/scope/key}}.

Import

The resource secret can be imported using scopeName|||secretKey combination. This may change in future versions.

import {
  to = databricks_secret.app
  id = "<scopeName>|||<secretKey>"
}

Alternatively, when using terraform version 1.4 or earlier, import using the terraform import command:

terraform import databricks_secret.app "<scopeName>|||<secretKey>"

Related Resources

The following resources are often used in the same context:

• End to end workspace management guide.
• databricks_notebook to manage Databricks Notebooks.
• databricks_pipeline to deploy Lakeflow Declarative Pipelines.
• databricks_repo to manage Databricks Repos.
• databricks_secret_acl to manage access to secrets in Databricks workspace.
• databricks_secret_scope to create secret scopes in Databricks workspace.