In [0]:
# ============================================================================
# SECRET PERMISSIONS & PAT TOKEN VERIFICATION
# ============================================================================

import os
from databricks.sdk import WorkspaceClient
import requests

print("="*80)
print("VERIFYING SECRET PERMISSIONS AND PAT TOKEN")
print("="*80)
print()

# Initialize Workspace Client
w = WorkspaceClient()

# ============================================================================
# STEP 1: Check Secret Scope Permissions
# ============================================================================

print("[1] CHECKING SECRET SCOPE PERMISSIONS")
print("-" * 80)

try:
    # List all secret scopes
    scopes = w.secrets.list_scopes()
    scope_list = list(scopes)
    print(f"‚úì Found {len(scope_list)} secret scope(s)")
    print()
    
    # Check if redditscope exists
    reddit_scope_found = False
    
    for scope in scope_list:
        if scope.name == "redditscope":
            reddit_scope_found = True
            print(f"‚úì Found scope: {scope.name}")
            print(f"  Backend Type: {scope.backend_type}")
            break
    
    if not reddit_scope_found:
        print("‚ùå ERROR: 'redditscope' not found!")
        print("   Available scopes:")
        for scope in scope_list:
            print(f"   - {scope.name}")
    
    print()
    
except Exception as e:
    print(f"‚ùå ERROR listing scopes: {e}")
    print()

# ============================================================================
# STEP 2: Check Secret Exists
# ============================================================================

print("[2] CHECKING SECRET EXISTS")
print("-" * 80)

try:
    # List secrets in redditscope
    secrets = w.secrets.list_secrets(scope="redditscope")
    secret_list = list(secrets)
    
    print(f"‚úì Found {len(secret_list)} secret(s) in 'redditscope'")
    
    reddit_key_found = False
    for secret in secret_list:
        print(f"  - {secret.key}")
        if secret.key == "redditkey":
            reddit_key_found = True
    
    if reddit_key_found:
        print(f"\n‚úì Secret 'redditkey' exists in 'redditscope'")
    else:
        print(f"\n‚ùå ERROR: Secret 'redditkey' NOT found in 'redditscope'!")
    
    print()
    
except Exception as e:
    print(f"‚ùå ERROR listing secrets: {e}")
    print()

# ============================================================================
# STEP 3: Get and Validate PAT Token
# ============================================================================

print("[3] RETRIEVING PAT TOKEN")
print("-" * 80)

try:
    # Get the secret value
    token = dbutils.secrets.get(scope="redditscope", key="redditkey")
    
    print(f"‚úì Successfully retrieved secret")
    print(f"  Token starts with: {token[:8]}...")
    print(f"  Token length: {len(token)} characters")
    
    # Validate format
    if token.startswith('dapi'):
        print(f"‚úì Token format is correct (PAT token)")
    else:
        print(f"‚ö†Ô∏è  WARNING: Token doesn't start with 'dapi'")
        print(f"   First 8 chars: {token[:8]}")
        print(f"   This might not be a valid PAT token!")
    
    print()
    
except Exception as e:
    print(f"‚ùå ERROR retrieving secret: {e}")
    print(f"   This means you don't have permission to read the secret")
    print()
    token = None

%md
# Manual Instructions for Workspace Admin

If the script above fails due to permissions, share these instructions with your workspace admin:

---

## üõ†Ô∏è How to Add IP to Allowlist (Manual)

### **Step 1: Access Admin Console**

1. Go to: **Databricks Workspace**
2. Click: **Admin Console** (gear icon in top right, or left sidebar)
3. Navigate to: **Security** > **IP Access Lists**

### **Step 2: Add New IP Access List**

1. Click: **"Add"** button
2. Configure:
   - **Type**: `Allow`
   - **IP Address/CIDR**: `172.210.242.89/32`
   - **Label**: `Databricks App - Fashion Ecom`
3. Click: **"Add"**

### **Step 3: Verify**

1. The new entry should appear in the list
2. Status should be **"Enabled"**
3. Changes take effect immediately

---

## üìù Information for Admin

**Why this is needed**:
- The Databricks App runs from IP: `172.210.242.89`
- This IP is currently blocked by workspace IP ACL
- App cannot connect to Databricks APIs or Lakebase PostgreSQL
- Error message: `Source IP address: 172.210.242.89 is blocked by Databricks IP ACL`

**What this allows**:
- The app to authenticate with Databricks
- The app to connect to Lakebase PostgreSQL
- The app to function properly

**Security considerations**:
- This is a single IP address (`/32` CIDR)
- It's the IP of the Databricks App infrastructure
- This is a standard configuration for Databricks Apps
- Does not reduce overall security posture

---

## üîç Alternative: Add IP Range

If Databricks Apps use a dynamic IP range:

1. **Contact Databricks Support** to get the IP range for Databricks Apps in your region
2. **Add the entire range** instead of single IP
   - Example: `172.210.0.0/16` (if provided by support)
3. **Label**: `Databricks Apps - All`

**Pros**: Works even if app IP changes
**Cons**: Broader allowlist

---

## ‚úÖ After Adding IP

**Notify the app owner** to:
1. Restart the Databricks App
2. Test the API endpoint
3. Verify logs show successful connection

**Expected result**:
- App connects successfully
- No more IP ACL errors
- API returns data

---

## üìû Contact Information

**If you have questions**:
- App Owner: kevin.ippen@databricks.com
- App Name: Fashion Ecom Visual Search
- App IP: 172.210.242.89
- Workspace ID: 984752964297111