#[Secrets (Preview)](https://docs.azuredatabricks.net/user-guide/secrets/index.html#)

To manage secrets, you must use the [Secrets API (Preview)](https://docs.azuredatabricks.net/api/latest/secrets.html#), which you can also access using the [Secrets CLI](https://docs.azuredatabricks.net/user-guide/dev-tools/databricks-cli.html#secrets-cli) (**version 0.7.0 and above**).

In [2]:
%sh

databricks --help

##[Secret Scopes](https://docs.azuredatabricks.net/user-guide/secrets/secret-scopes.html#)

Scopes are identified by their names, unique within a user’s workspace. The names are considered non-sensitive and are readable by all users in the workspace. A workspace is limited to a maximum of 100 scopes.

###delete secret scopes

In [5]:
%sh

YOUR_SCOPE_NAME=lgong_secrets
databricks secrets delete-scope --scope $YOUR_SCOPE_NAME

: <<'COMMENT'
YOUR_DOMAIN=westus.azuredatabricks.net
BEARER_TOKEN=dapif06c7fb739bdf2900f5c71d29a0147c9
  
curl -H "Authorization: Bearer $BEARER_TOKEN" -X POST \
  -k https://$YOUR_DOMAIN/api/2.0/preview/secret/scopes/delete \
  -d "{\"scope\": \"$YOUR_SCOPE_NAME\"}"
COMMENT

###create secret scopes

In [7]:
%sh

YOUR_SCOPE_NAME=lgong_secrets
databricks secrets create-scope --scope $YOUR_SCOPE_NAME

: <<'COMMENT'
YOUR_DOMAIN=westus.azuredatabricks.net
BEARER_TOKEN=dapif06c7fb739bdf2900f5c71d29a0147c9  
  
curl -H "Authorization: Bearer $BEARER_TOKEN" -X POST \
  -k https://$YOUR_DOMAIN/api/2.0/preview/secret/scopes/create \
  -d "{\"scope\": \"$YOUR_SCOPE_NAME\"}"
COMMENT

###list secret scopes

In [9]:
%sh

databricks secrets list-scopes

: <<'COMMENT'
YOUR_DOMAIN=westus.azuredatabricks.net
BEARER_TOKEN=dapif06c7fb739bdf2900f5c71d29a0147c9  
  
curl -H "Authorization: Bearer $BEARER_TOKEN" -X GET \
  -k https://$YOUR_DOMAIN/api/2.0/preview/secret/scopes/list
COMMENT

##[Secrets](https://docs.azuredatabricks.net/user-guide/secrets/secrets.html)

Secrets are key-value pairs that store secret material, with a key name unique within a secret scope. Each scope is limited to 1000 secrets. The maximum allowed secret value size is 128 KB.

###delete secrets

In [12]:
%sh

YOUR_SCOPE_NAME=lgong_secrets
YOUR_SECRET_KEYS=(databricks_token resource_group subscription_id workspace_name)

for YOUR_SECRET_KEY in ${YOUR_SECRET_KEYS[*]}
do
  databricks secrets delete --scope $YOUR_SCOPE_NAME --key $YOUR_SECRET_KEY
  
  : <<'COMMENT'
  YOUR_DOMAIN=westus.azuredatabricks.net
  BEARER_TOKEN=dapif06c7fb739bdf2900f5c71d29a0147c9
    
  curl -H "Authorization: Bearer $BEARER_TOKEN" -X POST \
    -k https://$YOUR_DOMAIN/api/2.0/preview/secret/secrets/delete \
    -d "{\"scope\": \"$YOUR_SCOPE_NAME\", \"key\": \"$YOUR_SECRET_KEY\"}"
COMMENT
done

###create secrets

In [14]:
%sh

BEARER_TOKEN=dapif06c7fb739bdf2900f5c71d29a0147c9  
YOUR_SCOPE_NAME=lgong_secrets

declare -A YOUR_SECRET_KEYVALUES
YOUR_SECRET_KEYVALUES=(
  [databricks_token]=$BEARER_TOKEN
  [workspace_name]=LixinWorkspace
  [resource_group]=lgong-aml-rg
  [subscription_id]=7c110815-49dd-4740-b8db-ee2a42eb54f2
)

for YOUR_SECRET_KEY in ${!YOUR_SECRET_KEYVALUES[@]}
do
  YOUR_SECRET_VALUE=${YOUR_SECRET_KEYVALUES[$YOUR_SECRET_KEY]}
  databricks secrets write --scope $YOUR_SCOPE_NAME --key $YOUR_SECRET_KEY --string-value $YOUR_SECRET_VALUE
  
  : <<'COMMENT'
  YOUR_DOMAIN=westus.azuredatabricks.net
  
  cat <<- EOF > $YOUR_SECRET_KEY.json
  {
    "scope": "$YOUR_SCOPE_NAME",
    "key": "$YOUR_SECRET_KEY",
    "string_value": "$YOUR_SECRET_VALUE"
  }
EOF

  cat $YOUR_SECRET_KEY.json

  curl -H "Authorization: Bearer $BEARER_TOKEN" -X POST \
    -k https://$YOUR_DOMAIN/api/2.0/preview/secret/secrets/write \
    -d @$YOUR_SECRET_KEY.json
COMMENT
done

###list secret keys

In [16]:
%sh

YOUR_SCOPE_NAME=lgong_secrets
databricks secrets list --scope $YOUR_SCOPE_NAME

: <<'COMMENT'
YOUR_DOMAIN=westus.azuredatabricks.net
BEARER_TOKEN=dapif06c7fb739bdf2900f5c71d29a0147c9  
  
curl -H "Authorization: Bearer $BEARER_TOKEN" -X GET \
  -k https://$YOUR_DOMAIN/api/2.0/preview/secret/secrets/list \
  -d "{\"scope\": \"$YOUR_SCOPE_NAME\"}"
COMMENT

##[Use Secrets](https://docs.azuredatabricks.net/user-guide/dev-tools/dbutils.html#secrets-preview)

DBUtils secret utilities are available only on clusters running **Databricks Runtime 4.0 and above**.

In [18]:
dbutils.preview.secret.help()

###list secret scopes

In [20]:
dbutils.preview.secret.listScopes()

###list secret keys

In [22]:
YOUR_SCOPE_NAME="lgong_secrets"
dbutils.preview.secret.list(scope=YOUR_SCOPE_NAME)

###read secrets

In [24]:
YOUR_SCOPE_NAME="lgong_secrets"
YOUR_SECRET_KEY="databricks_token"
dbutils.preview.secret.get(scope=YOUR_SCOPE_NAME, key=YOUR_SECRET_KEY)