#![Spark Logo Tiny](https://files.training.databricks.com/images/105/logo_spark_tiny.png) Key Vault-Backed Secret Scopes

## Learning Objectives
By the end of these lessons, you should be able to:
* Configure Databricks to access Key Vault secrets
* Read and write data directly from Blob Storage using secrets stored in Key Vault
* Set different levels of access permission using SAS at the Storage service level
* Mount Blob Storage into DBFS
* Describe how mounting impacts secure access to data

The overall goal of these three notebooks is to read and write data directly from Blob Storage using secrets stored in a Key Vault, accessed securely through the Databricks Secrets utility. 

This goal has been broken into 3 notebooks to make each step more digestible:
1. `1 - Blob Storage` - In the first notebook, we will add a file to a Blob on a Storage Account and generate SAS tokens with different permissions levels
1. `2 - Key Vault` - In the second notebook, we will configure an Azure Key Vault Access Policy and add text-based credentials as secrets
1. `3 - Key Vault` Backed Secret Scopes - In the third notebook, we will define a Secret Scope in Databircks by linking to the Key Vault and use the previously stored credentials to read and write from the Storage Container

##![Spark Logo Tiny](https://files.training.databricks.com/images/105/logo_spark_tiny.png) 2 - Key Vault

[Azure Key Vault](https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis) provides us with a number of options for storing and sharing secrets and keys between Azure applications, and has direct integration with Azure Databricks. In this notebook, we'll focus on configuring an access policy and creating Secrets. These instructions are based around configurations and settings for the ADB Core partner training, but should be adaptable to production requirements.

**This is something that will generally be handled by the workspace adminstrator.** Only individuals with proper permissions in the Azure Active Directory will be able to link a Key Vault to the Databricks workspace. (Each Key Vault will map to a "scope" in Databricks, so enterprise solutions may have many different Key Vaults for different teams/personas who need different permissions.)

### Learning Objectives
By the end of this lesson, you should be able to:
- Configure Key Vault Access Policies
- Create Secrets that store SAS Tokens in a Key Vault

-sandbox

<img alt="Caution" title="Caution" style="vertical-align: text-bottom; position: relative; height:1.3em; top:0.0em" src="https://files.training.databricks.com/static/images/icon-warning.svg"/> **PLEASE** open a new browser tab and navigate to <https://portal.azure.com>.

## Configure Key Vault Access Policies

1. Go to "All resources"
2. Click on the Key Vault resource

<img src="https://files.training.databricks.com/images/adbcore/config-keyvault/resources-kv.png" width=800px />

## Navigate to Access Policies

First, click on `Access policies` in the left-side plane.

<img src="https://files.training.databricks.com/images/adbcore/config-keyvault/keyvault-home.png" width=800px />

## Add Access Policy to Key Vault

While our user is a "Contributor" on this resource, we must add an access policy to add/list/use secrets.

Click "Add access policy"


<img src="https://files.training.databricks.com/images/adbcore/config-keyvault/access-none.png" width=800px />

1. Select "Key, Secret, & Certificate Mangement" from the dropdown
2. Click to select a principal

<img src="https://files.training.databricks.com/images/adbcore/config-keyvault/access-template.png" />

1. Search for your user ID
2. Click on the matching result to select
3. Click "Select"

<img src="https://files.training.databricks.com/images/adbcore/config-keyvault/access-principal.png" />

Now you'll need to click "Add" and then...

<img src="https://files.training.databricks.com/images/adbcore/config-keyvault/access-not-added.png" />

## Save Configuration Changes

... you'll click "Save" to finalize the configurations.

<img src="https://files.training.databricks.com/images/adbcore/config-keyvault/access-not-saved.png" />

## Congratulations!

**At this point you have**
* Modified Access Policies in the Azure Key Vault

### Next Steps

**Your next steps are to:** 
* Create Secrets in the Key Vault

## Create secrets in Key Vault

To create secrets in Key Vault that can be accessed from your new secret scope in Databricks, you need to either use the Azure portal or the Key Vault CLI. For simplicity's sake, we will use the Azure portal:

1. Select **Secrets** in the left-hand menu.
2. Select **+ Generate/Import** in the Secrets toolbar.

<img src="https://files.training.databricks.com/images/adbcore/config-keyvault/secrets-none.png" width=800px />

## Create a storageread Secret

In the next blade:

* Enter the name of the secret
  * For the `Name` field, enter **storageread**
  * This will be the key to access the secret value; this will be visible in plain text
* Paste/enter the value for the secret 
   * For the `Value` field, enter the **read-only SAS token** from the previous notebook.
   * This will be the value that is stored as a secret; this will be `[REDACTED]`.
* Click "Create"

<img src="https://files.training.databricks.com/images/adbcore/config-keyvault/storageread.png" />

## Create a storagewrite Secret

You should see one secret now in your vault.

<img src="https://files.training.databricks.com/images/adbcore/config-keyvault/secrets-1.png" width=800px />

You want to "Generate/Import" another secret.

* Enter the name of the secret
  * For the `Name` field, enter **storagewrite**
  * This will be the key to access the secret value; this will be visible in plain text
* Paste/enter the value for the secret 
   * For the `Value` field, enter the **full permissions SAS token** from the previous notebook.
   * This will be the value that is stored as a secret; this will be `[REDACTED]`.
* Click "Create"

## Create a storageaccount Secret

Finally, you'll create one more secret.

1. Name: `storageaccount`
2. Value: copy/paste the name of your storage account

<img src="https://files.training.databricks.com/images/adbcore/config-blob/account-name.png"/>

## Return to the list view in the Azure Portal

When you're done, you should see the following keys:

<img src="https://files.training.databricks.com/images/adbcore/config-keyvault/secrets-all.png" width=800px/>

## Congratulations!

You have:
* Modified Access Policies in the Azure Key Vault
* Create Secrets in the Key Vault that use SAS tokens

In this notebook, we stored the SAS tokens from the first notebook as Secrets in the Key Vault. In the next notebook, we will see how to connect Databricks to the Key Vault and access the SAS tokens to read and write from Blob Storage.