# Setup Key Vault Backed Secret Scope in Databricks

Azure provides a service to store all the secrets and retrieve them when and where needed. This feature is called **Key Vault**. Databricks also provides a propriatary feature to store all the secrets called Secret Scope.
This notebook focusses on how to setup the Secret Scope backed by Key Vault and how to reference a secret therin.

To reference secrets stored in an [Azure Key Vault](https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview), you can create a secret scope backed by Azure Key Vault. You can then leverage all of the secrets in the corresponding Key Vault instance from that secret scope. Because the Azure Key Vault-backed secret scope is a read-only interface to the Key Vault, the `PutSecret` and `DeleteSecret` [Secrets API 2.0](https://docs.microsoft.com/en-us/azure/databricks/dev-tools/api/latest/secrets) operations are not allowed. To manage secrets in Azure Key Vault, you must use the Azure [SetSecret](https://docs.microsoft.com/en-us/rest/api/keyvault/setsecret) REST API or Azure portal UI.

## KeyVault Secret Scope Steps
1. Login to Azure Portal
2. Get Databricks Instance
	1. Go to Databricks cluster and copy the URL.
3. In browser URL: `<databricks-URL>#secrets/createScope`, below page will be open.
	1. This page is where you can create new secret scopes linked to databricks. 
	2. A secret scope is collection of secrets identified by a name. A workspace is limited to a maximum of 100 secret scopes.[Secret scopes - Azure Databricks | Microsoft Docs](https://docs.microsoft.com/en-us/azure/databricks/security/secrets/secret-scopes)
	3. Remember, if you dont want to co-locate secrets, you need multiple secret scopes. 
4. Get DNS & Resource ID from Key Vault
5. Create Secret Scope
	1. Choose All Users under Manage Principal if all team members want to use the same secret scope. The Creator Only is only avialable to premium anywayl

## Referencing secrets from any secret scope in a Notebook
Steps
1. Create a secret in Azure Key Vault
2. Create a Notebook in Azure Databricks
3. Access Key Vault from Azure Databricks
	1. You will reference a secret scope linked to a key vault that should already exist
	2. PySpark built in method used to retrieve a secret at run time
		1. `dbutils.secrets.get(scope = "SecretScopeName", key = "KeyVaultSecretname")`

## Links
First, create a secret scope in Databricks that will allow it to access the key vault
* Link
	* [Create Secret Scope in Azure Databricks (bigdataprogrammers.com)](https://bigdataprogrammers.com/create-secret-scope-in-azure-databricks/)  
	* [Secret scopes - Azure Databricks | Microsoft Docs](https://docs.microsoft.com/en-us/azure/databricks/security/secrets/secret-scopes)

Then use dbutils.secrets.get to retrieve secrets from keyvault
* Link - [Access Azure Key Vault in Databricks (bigdataprogrammers.com)](https://bigdataprogrammers.com/access-azure-key-vault-in-databricks/)

In [0]:
# dbutils.secrets.get(scope = "SecretScopeName", key = "KeyVaultSecretname")
# expected output: Out[1]: '[REDACTED]'
# this is because Databricks knows this is a secret and will now show it in plain text, but will use it at runtime for authentication.

dbutils.secrets.get(scope = "DianGRAndDKeyVault", key = "dianrandddatalake-accountkey")
