databricks CLI secrets create-scope command includes "backend_azure_keyvault" parameter even when scope-backend-type is set to DATABRICKS

Question

databricks CLI secrets create-scope command includes "backend_azure_keyvault" parameter even when scope-backend-type is set to DATABRICKS

Keleher, William 1

When running the following command:

databricks secrets create-scope --scope indigo-temp --initial-manage-principal users --scope-backend-type DATABRICKS

I get the error

{ 'error_code': 'INVALID_PARAMETER_VALUE',
'message': 'Missing required fields: backend_azure_keyvault.resource_id, '
'backend_azure_keyvault.dns_name'}
Error: b'{"error_code":"INVALID_PARAMETER_VALUE","message":"Missing required fields: backend_azure_keyvault.resource_id, backend_azure_keyvault.dns_name"}'

Which seems strange given that I am using the --scope-backend-type DATABRICKS switch. When I look at this with --debug on, I can see that the CLI is indeed generating the azure keyvault backend parameters even though I have specified a databricks backend:

HTTP debugging enabled
send: b'POST /api/2.0/secrets/scopes/create HTTP/1.1\r\nHost: adb-<redacted>.5.azuredatabricks.net\r\nuser-agent: databricks-cli-0.12.1-secrets-create-scope-<redacted>\r\nAccept-Encoding: gzip, deflate, br\r\nAccept: /\r\nConnection: keep-alive\r\nAuthorization: Bearer dapi<redacted>\r\nContent-Type: text/json\r\nContent-Length: 164\r\n\r\n'
send: b'{"scope": "indigo-temp", "initial_manage_principal": "users", "scope_backend_type": "DATABRICKS", "backend_azure_keyvault": {"resource_id": null, "dns_name": null}}'
reply: 'HTTP/1.1 400 Bad Request\r\n'

Why is it doing that?

PRADEEPCHEEKATLA 90,651 Reputation points Moderator

2022-03-25T05:38:43.653+00:00
Hello @Keleher, William ,

Following up to see if the below suggestion was helpful. And, if you have any further query do let us know.

------------------------------

Please don't forget to click on or upvote button whenever the information provided helps you.

1 answer

Your answer

PRADEEPCHEEKATLA 90,651 Reputation points Moderator

2022-03-25T05:38:43.653+00:00

Hello @Keleher, William ,

Following up to see if the below suggestion was helpful. And, if you have any further query do let us know.

------------------------------

Please don't forget to click on or upvote button whenever the information provided helps you.

Answer 1

Hello @Keleher, William ,

Thanks for the question and using MS Q&A platform.

The initial principal that can manage the created secret scope. If specified, the initial ACL with MANAGE permission applied to the scope is assigned to the supplied principal (user or group). Currently, the only supported principal for this option is the group "users", which contains all users in the workspace. If not specified, the initial ACL with MANAGE permission applied to the scope is assigned to the request issuer's user identity.

As per the repro, I'm able to run the above query successfully without any issue.

For more details, refer to Create a Databricks-backed secret scope.

Hope this will help. Please let us know if any further queries.

------------------------------

Please don't forget to click on or upvote button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how
Want a reminder to come back and check responses? Here is how to subscribe to a notification
If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators

PRADEEPCHEEKATLA 90,651 Reputation points Moderator

2022-03-23T10:47:07.657+00:00

Hello @Keleher, William ,

Just checking in to see if the above answer helped. If this answers your query, do click Accept Answer and Up-Vote for the same. And, if you have any further query do let us know.

Share via

databricks CLI secrets create-scope command includes "backend_azure_keyvault" parameter even when scope-backend-type is set to DATABRICKS

1 answer

Your answer