This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 11%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECA%3C/text%3E%3C/svg%3E)
Azure Key vault had launched the RBAC access model in 2021. This allows finer granular access to a particular secret or key or certificate. The previous model was access policies which doesn't allow this granular access.
From my knowledge, Azure keyvault backed secret scopes on Azure databricks only uses Access policies. This means I cannot give different workspaces access to different secrets on the same Key vault.
Looking at a similar question, the solution was to give keyvault secrets user role, but this would give the workspace access to all the secrets within the key vault.
Can you please confirm that this is still the case and if there is any plan to have ADB be compatible with RBAC keyvaults and provide access at a secret level instead of a Key vault level?
@Chand, Anupam SBOBNG-ITA/RX - We are reaching out to the internal team to get more information related to your query and will get back to you as soon as we have an update.
@Chand, Anupam SBOBNG-ITA/RX - From which I assume that you would like to leverage RBAC model instead of Access policies to grant different workspaces access to different secrets. If that's not the case, please disregard the following comments.
That is not possible under the same tenant, because you will be authorizing the single enterprise application (called AzureDatabricks), which is then shared by all workspaces.
I believe you can. Make sure you are using Databricks "premium" tier (does not work in standard tier) and set the "manage principal" to "Creator"
Note: Creating an Azure Key Vault-backed secret scope role grants the Get and List permissions to the resource ID for the Azure Databricks service using key vault access policies, even if the key vault is using the Azure RBAC permissions model.
Once this is done, then the creator can create "secrets" and grant access privileges to users/groups for example "reader". Only the user that has been granted permissions can read the secret, other users cannot read the secret.
For more details, refer to Secret scopes.
Hope this helps.
@PRADEEPCHEEKATLA-MSFT Since we are granting databricks access to the resource id which is the entire keyvault, each workspace will have access to all the secrets within that keyvault. We want to segregate access i.e. workspaces should not have access to each others secrets and we would like to do this with 1 keyvault (i.e. utilizing RBAC model).
The below quote clearly states that even if we use RBAC model, the scope will use access policies which means access to all secrets.
Note: Creating an Azure Key Vault-backed secret scope role grants the Get and List permissions to the resource ID for the Azure Databricks service using key vault access policies, even if the key vault is using the Azure RBAC permissions model.
Thanks please put this as the answer so I can accept.
@Chand, Anupam SBOBNG-ITA/RX - Currently, there is no key vault RBAC support for Databricks planned.
Hi Chand, Anupam SBOBNG-ITA/RX ,
I have converted the above comment to answer. Kindly accept it by clicking on Accept answer button. Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 50%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETS%3C/text%3E%3C/svg%3E)
Dear,
MS advices to switch Key Vault access towards "Azure role-based access control (recommended)" .
All our customers are asking to migrate from access policies towards RBAC.
Please add support for RBAC authentication for a Key Vault.
thanks in advance!
So, it means only way to access keyvault from Databricks is to use the Access Policies?