#![Spark Logo Tiny](https://files.training.databricks.com/images/105/logo_spark_tiny.png) Key Vault-Backed Secret Scopes

## Learning Objectives
By the end of these lessons, you should be able to:
* Configure Databricks to access Key Vault secrets
* Read and write data directly from Blob Storage using secrets stored in Key Vault
* Set different levels of access permission using SAS at the Storage service level
* Mount Blob Storage into DBFS
* Describe how mounting impacts secure access to data

The overall goal of these three notebooks is to read and write data directly from Blob Storage using secrets stored in a Key Vault, accessed securely through the Databricks Secrets utility. 

This goal has been broken into 3 notebooks to make each step more digestible:
1. `1 - Blob Storage` - In the first notebook, we will add a file to a Blob on a Storage Account and generate SAS tokens with different permissions levels
1. `2 - Key Vault` - In the second notebook, we will configure an Azure Key Vault Access Policy and add text-based credentials as secrets
1. `3 - Key Vault` Backed Secret Scopes - In the third notebook, we will define a Secret Scope in Databircks by linking to the Key Vault and use the previously stored credentials to read and write from the Storage Container

##![Spark Logo Tiny](https://files.training.databricks.com/images/105/logo_spark_tiny.png) 1 - Blob Storage

This notebook is focused on configuring the blob storage required for the ADB Core partner training, but should provide general enough instructions to be useful in other settings.
 
 
 ### Learning Objectives
 By the end of this lesson, you should be able to:
 
 - Create blob storage containers
 - Load data into a container
 - Create a read/list SAS token
 - Create a SAS token with full privileges

## Create container and upload a file

Follow the screenshots below to create a container and upload a file. 

You will be using the Azure Portal for these operations.

The Azure Portal can be accessed from your workspace by clicking on the **PORTAL** link, top right next to your name.

## Access your Storage Account in the Azure Portal


A storage account has been provided for you, but you can follow instruction here to [create a new Storage Account in your Resource Group](https://docs.microsoft.com/en-us/azure/storage/common/storage-quickstart-create-account?tabs=azure-portal).

1. Click on "All resources"
2. Click on the storage account starting with `g1`


<img src="https://files.training.databricks.com/images/adbcore/config-blob/resources.png" width=800px />

## View the Blobs, if any stored with this storage account

A storage account can have multiple containers. 

We will upload our file as a blob into a Container for this storage account. 

First, see what containers -- if any -- exist in this storage account.

<img src="https://files.training.databricks.com/images/adbcore/config-blob/storage1.png" width=800px />

## Add a Container to hold Blobs

Currently, we have no containers defined in our blob. Click the indicated button to add a container.

<img src="https://files.training.databricks.com/images/adbcore/config-blob/blobs-empty.png" width=800px />

## Name the container

We'll name our first container `commonfiles`.

Note that the container name is hardcoded in the following notebooks, if you use a name besides `commonfiles` you will have to edit the following notebooks to reflect the name you chose in place of `commonfiles`

Click "OK" to continue.

<img src="https://files.training.databricks.com/images/adbcore/config-blob/new-blob.png" width=800px />

## Download a file to your computer

Now that we have created a container named `commonfiles`, let's upload a file to the container. 

Click the following link to download a csv to your computer:
### Download [this file](https://files.training.databricks.com/courses/adbcore/commonfiles/sales.csv) to your local machine.

## Select the container and upload some data

We will upload the sales.csv file we just downloaded.

#### Select the container commonfiles

<img src="https://files.training.databricks.com/images/adbcore/config-blob/blobs-1.png" width=800px />

#### Select Upload to prepare to upload Data

<img src="https://files.training.databricks.com/images/adbcore/config-blob/blob-empty.png" width=800px />

#### Upload the file into the container

1. Select the downloaded file "sales.csv" from the file picker.
2. Click "Upload"

<img src="https://files.training.databricks.com/images/adbcore/config-blob/file-upload.png"/>

## Congratulations! You have uploaded a file into Azure Blob Storage

Once you have content in Azure Blob Storage you can access that content in an Azure Databricks Notebook. 

For further reading you can see the [Documentation](https://docs.databricks.com/data/data-sources/azure/azure-storage.html)

One way to access the content in a container is to generate an SAS Token

**In the next steps you will generate an SAS Token for this container**

# Copy Down Variables to Be Used in Next Lesson

You'll need a few values that we'll be loading into a Key Vault in the next lesson. We'll copy them into cells below.

## Record Storage Account Name

Copy/paste the name of your storage account below.

<img src="https://files.training.databricks.com/images/adbcore/config-blob/account-name.png"/>

In [13]:
## YOUR STORAGE ACCOUNT NAME HERE ####
## NOTE WE DO NOT RUN ANY CODE HERE, THIS IS JUST SAVED FOR USE IN THE FOLLOWING NOTEBOOK

## Generate a SAS token with all privileges

In the Storage Container View in the Azure Portal

1. Click "Shared access signature"
2. Select all the permissions
3. Click "Generate SAS and connection string" to generate the SAS Token.

<img src="https://files.training.databricks.com/images/adbcore/config-blob/sas-write.png"/>

## Retrieve the SAS Token generated

You will use the SAS token in a later notebook.

For now copy and paste the SAS token into the cell below. 

<img src="https://files.training.databricks.com/images/adbcore/config-blob/sas-write-secrets.png" />

In [16]:
## YOUR FULL PERMISSIONS TOKEN HERE ####
## NOTE WE DO NOT RUN ANY CODE HERE, THIS IS JUST SAVED FOR USE IN THE FOLLOWING NOTEBOOK

## Generate a SAS token with only Read and List privileges

An SAS token is one way to gain access to data in your container. 

You will create an SAS token with read and list permissions for the container.

In the Storage Container View in the Azure Portal

1. Click "Shared access signature"
2. Deselect the appropriate permissions to create a "Read-Only" Token.
3. Make sure you retained the list permission, the list permission is useful to view the contents of the container
3. Click "Generate SAS and connection string" to generate the SAS Token.

#### **Warning a common mistake is to fail to select the list privilege, please verify you have selected read and list checkbox**

<img src="https://files.training.databricks.com/images/adbcore/config-blob/sas-read.png" width=800px />

## Retrieve the SAS Token generated

You will use the SAS token in a later notebook.

For now copy and paste the SAS token into the cell below. 

<img src="https://files.training.databricks.com/images/adbcore/config-blob/sas-write-secrets.png" />

In [19]:
## YOUR READ ONLY TOKEN HERE ####
## NOTE WE DO NOT RUN ANY CODE HERE, THIS IS JUST SAVED FOR USE IN THE FOLLOWING NOTEBOOK

# Obscuring your SAS Tokens

In this series of Notebooks we use our SAS Token to access the blob store. In the cells above you store the SAS token in plain text, this is **bad practice and only done for educational purposes**. Your SAS Token in a production environment should be stored in Secrets/KeyVault to prevent it from being displayed in plain text inside a notebook.

We will see how to do this in the next notebook.

## Congratulations!

You have:
 
 - Created a blob storage container
 - Loaded data into a container
 - Created a read/list SAS token
 - Created a SAS token with full permissions
 - Saved the SAS tokens for later use
 
In this notebook, we uploaded a file to a blob storage container and generated SAS tokens with different access permissions to the storage account. In the next notebook we will see how to store the SAS tokens securely in the Key Vault.

## Next steps

Start the next lesson, [2-Key-Vault]($./2-Key-Vault)