[英]Creating DataBricks Azure Key Vault Secret Scope Backend using Rest Api and DataBricks CLI
I am trying to create the secrete scope which is backend by azure key vault so when I tried with secret api, I got an error has我正在尝试通过 azure 密钥库创建秘密 scope,所以当我尝试使用秘密 api 时,我得到了一个错误
Input:输入:
response = requests.post(
'https://%s/api/2.0/secrets/scopes/create' % (DOMAIN),
headers={'Authorization': 'Bearer %s' % TOKEN,},
json={"scope": "my-simple-azure-keyvault-scope",
"scope_backend_type": "AZURE_KEYVAULT",
"backend_azure_keyvault":
{
"resource_id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/azure-rg/providers/Microsoft.KeyVault/vaults/my-azure-kv",
"dns_name": "https://my-azure-kv.vault.azure.net/"
},
"initial_manage_principal": "users"
})
Output: Output:
{
"error_code": "INVALID_PARAMETER_VALUE",
"message": "Scope with Azure KeyVault must have userAADToken defined!"
}
I tried with Different method which is Databricks Cli for that I faced a error, So I created a Secret scope using databricks UI and tried to access through cli我尝试使用 Databricks Cli 的不同方法,因为我遇到了一个错误,所以我使用 databricks UI 创建了一个 Secret scope 并尝试通过 cli 访问
Input:输入:
databricks configure --token
Databricks Host (should begin with https://): https://adb-...azuredatabricks.net/
Token:
D:\Users\>databricks secrets list-scopes
Output: Output:
Error: b'Bad Request'
In Cmd prompt在 Cmd 提示
Is there a way to get AAD token, I have implemented Microsoft documents for getting token but didn't work有没有办法获取 AAD 令牌,我已经实现了获取令牌的Microsoft 文档但没有用
This is well known limit described in the documentation linked in the comment - you must use user's AAD token to create a secret scope baked by the Azure KeyVault.这是评论中链接的文档中描述的众所周知的限制 - 您必须使用用户的 AAD 令牌来创建由 Azure KeyVault 烘焙的秘密 scope。
The simplest way to create a secret scope is not to use API, but instead use the Databricks CLI - there is a command to create a secret scope:创建秘密 scope 的最简单方法是不使用 API,而是使用 Databricks CLI - 有一个命令可以创建秘密 scope:
databricks secrets create-scope --scope <scope-name> \
--scope-backend-type AZURE_KEYVAULT --resource-id <azure-keyvault-resource-id> \
--dns-name <azure-keyvault-dns-name>
You also don't even need to configure CLI - specify DATABRICKS_HOST
and DATABRICKS_TOKEN
environment variables, like this:您甚至不需要配置 CLI - 指定
DATABRICKS_HOST
和DATABRICKS_TOKEN
环境变量,如下所示:
export DATABRICKS_TOKEN=$(az account get-access-token -o tsv --query accessToken --resource 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d)
export DATABRICKS_HOST=https://adb-.....azuredatabricks.net
Note that here we're getting user's AAD token by using az account get-access-token
command from Azure CLI (make sure you did az login
before)请注意,这里我们使用 Azure CLI 中
az account get-access-token
命令获取用户的 AAD 令牌(确保您之前执行过az login
)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.