Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
This information applies to Databricks CLI versions 0.205 and above. The Databricks CLI is in Public Preview.
Databricks CLI use is subject to the Databricks License and Databricks Privacy Notice, including any Usage Data provisions.
The account encryption-keys command group within the Databricks CLI contains commands to manage encryption key configurations for workspaces. See Customer-managed keys for encryption.
databricks account encryption-keys create
Create a customer-managed key configuration object for an account. This operation uploads a reference to a customer-managed key to Databricks. If the key is assigned as a workspace's customer-managed key for managed services, Databricks uses the key to encrypt the workspace's notebooks and secrets in the control plane, in addition to Databricks SQL queries and query history. If it is specified as a workspace's customer-managed key for workspace storage, the key encrypts the workspace's root S3 bucket (which contains the workspace's root DBFS and system data) and, optionally, cluster EBS volume data.
databricks account encryption-keys create [flags]
Options
--json JSON
The inline JSON string or the @path to the JSON file with the request body
Examples
The following example creates an encryption key configuration using JSON:
databricks account encryption-keys create --json '{"aws_key_info": {"key_arn": "arn:aws:kms:us-west-2:123456789012:key/12345678-1234-1234-1234-123456789012", "key_alias": "alias/my-key"}, "use_cases": ["MANAGED_SERVICES"]}'
The following example creates an encryption key configuration using a JSON file:
databricks account encryption-keys create --json @encryption-key.json
databricks account encryption-keys delete
Delete a customer-managed key configuration object for an account. You cannot delete a configuration that is associated with a running workspace.
databricks account encryption-keys delete CUSTOMER_MANAGED_KEY_ID [flags]
Arguments
CUSTOMER_MANAGED_KEY_ID
Databricks encryption key configuration ID.
Options
Examples
The following example deletes an encryption key configuration by ID:
databricks account encryption-keys delete cmk-abc123
databricks account encryption-keys get
Get a customer-managed key configuration object for an account, specified by ID. This operation retrieves a reference to a customer-managed key from Databricks. If assigned as a workspace's customer-managed key for managed services, Databricks uses the key to encrypt the workspace's notebooks and secrets in the control plane, in addition to Databricks SQL queries and query history. If it is specified as a workspace's customer-managed key for storage, the key encrypts the workspace's root S3 bucket (which contains the workspace's root DBFS and system data) and, optionally, cluster EBS volume data.
databricks account encryption-keys get CUSTOMER_MANAGED_KEY_ID [flags]
Arguments
CUSTOMER_MANAGED_KEY_ID
Databricks encryption key configuration ID.
Options
Examples
The following example gets an encryption key configuration by ID:
databricks account encryption-keys get cmk-abc123
databricks account encryption-keys list
List Databricks customer-managed key configurations for an account.
databricks account encryption-keys list [flags]
Options
Examples
The following example lists all encryption key configurations:
databricks account encryption-keys list
Global flags
--debug
Whether to enable debug logging.
-h or --help
Display help for the Databricks CLI or the related command group or the related command.
--log-file string
A string representing the file to write output logs to. If this flag is not specified then the default is to write output logs to stderr.
--log-format format
The log format type, text or json. The default value is text.
--log-level string
A string representing the log format level. If not specified then the log format level is disabled.
-o, --output type
The command output type, text or json. The default value is text.
-p, --profile string
The name of the profile in the ~/.databrickscfg file to use to run the command. If this flag is not specified then if it exists, the profile named DEFAULT is used.
--progress-format format
The format to display progress logs: default, append, inplace, or json
-t, --target string
If applicable, the bundle target to use