question

sakuraime avatar image
1 Vote"
sakuraime asked JamesTran-MSFT commented

Azure databricks and Azure key vault

I have created a Azure databricks and put into a vnet. And I have a key vaults .
The key vaults are blocked all networks and I added the vnet of databricks to access key vaults.
however I got the following error :

79814-image.png


However , when I set the following to yes... it is ok to access......
79815-image.png


Also when I use https://adb-.azuredatabricks.net#secrets/createScope
to create secret scope . It will add "AzureDatabricks" APP ID to my key vault in the access policies ... is it normal ?
79829-image.png




what am I missing ??


azure-databricksazure-key-vault
image.png (11.4 KiB)
image.png (11.9 KiB)
image.png (16.4 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

anyone has the idea ?

0 Votes 0 ·

1 Answer

JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered JamesTran-MSFT commented

@sakuraime
Thank you for the detailed post and I apologize for the delayed response!

For the Key Vault side of things, when you enable the Key Vault Firewall, you will be given an option to 'Allow Trusted Microsoft Services to bypass this firewall.' The trusted services list does not cover every single Azure service. The trusted services list encompasses services where Microsoft controls all of the code that runs on the service.

Since you enabled the Azure Key Vault (AKV) Firewall feature, it's normal that your Databricks service was able to access the key vault after you selected "yes, otherwise you would've had to specify a specific IP address for your Databricks service.

When it comes to the access policy, this is completely normal behavior since access to a key vault is controlled through two interfaces: the management plane and the data plane. As for your current scenario, you granted data plane access to your Azure Databricks, by adding it to your Key Vault access policies.


Additional Link:
Create an Azure Key Vault-backed secret scope


I hope this helps, if you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

thanks for your reply

and I guess once I have enable private link of AKV , then we can added the Network Link for the private dns zone to the databricks vnet (public and private)

and the databricks will connect to AKV through private link ?

0 Votes 0 ·

@sakuraime
Thank you for the quick reply!

I'm not too familiar with Azure Private Link. However, based off our Integrate Key Vault with Azure Private Link documentation, you should be able to follow the - Establish a private link connection to an existing key vault section, to get your Databricks connected to the AKV.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·

@sakuraime
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

0 Votes 0 ·