Azure databricks and Azure key vault

sakuraime 2,271 Reputation points
2021-03-20T10:56:39.267+00:00

I have created a Azure databricks and put into a vnet. And I have a key vaults .
The key vaults are blocked all networks and I added the vnet of databricks to access key vaults.
however I got the following error :

79814-image.png

However , when I set the following to yes... it is ok to access......
79815-image.png

Also when I use https://adb-****************************.azuredatabricks.net#secrets/createScope
to create secret scope . It will add "AzureDatabricks" APP ID to my key vault in the access policies ... is it normal ?
79829-image.png

what am I missing ??

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
659 questions
Azure Databricks
Azure Databricks
An Apache Spark-based analytics platform optimized for Azure.
1,206 questions
1 vote

Accepted answer
  1. JamesTran-MSFT 26,526 Reputation points Microsoft Employee
    2021-03-25T22:42:40.66+00:00

    @sakuraime
    Thank you for the detailed post and I apologize for the delayed response!

    For the Key Vault side of things, when you enable the Key Vault Firewall, you will be given an option to 'Allow Trusted Microsoft Services to bypass this firewall.' The trusted services list does not cover every single Azure service. The trusted services list encompasses services where Microsoft controls all of the code that runs on the service.

    Since you enabled the Azure Key Vault (AKV) Firewall feature, it's normal that your Databricks service was able to access the key vault after you selected "yes, otherwise you would've had to specify a specific IP address for your Databricks service.

    When it comes to the access policy, this is completely normal behavior since access to a key vault is controlled through two interfaces: the management plane and the data plane. As for your current scenario, you granted data plane access to your Azure Databricks, by adding it to your Key Vault access policies.

    Additional Link:
    Create an Azure Key Vault-backed secret scope

    I hope this helps, if you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


0 additional answers

Sort by: Most helpful