机密 CLISecrets CLI

备注

机密 CLI 需要 Databricks CLI 0.7.1 或更高版本。The Secrets CLI requires Databricks CLI 0.7.1 or above.

可以通过将 Databricks 机密 CLI 子命令附加到 databricks secrets 来运行这些命令。You run Databricks secrets CLI subcommands by appending them to databricks secrets.

有关机密的详细信息,请参阅机密管理For more information about secrets, see Secret management.

databricks secrets --help
Usage: databricks secrets [OPTIONS] COMMAND [ARGS]...

  Utility to interact with secret API.

Options:
  -v, --version   [VERSION]
  --profile TEXT  CLI connection profile to use. The default profile is
                  "DEFAULT".
  -h, --help      Show this message and exit.

Commands:
  create-scope  Creates a secret scope.
    Options:
      --scope SCOPE                  The name of the secret scope.
      --initial-manage-principal     The initial principal that can manage the created secret scope.
                                      If specified, the initial ACL with MANAGE permission applied
                                      to the scope is assigned to the supplied principal (user or group).
                                      The only supported principal is the group
                                      "users", which contains all users in the workspace. If not
                                      specified, the initial ACL with MANAGE permission applied to
                                      the scope is assigned to request issuer's user identity.
  delete        Deletes a secret.
    Options:
      --scope SCOPE                  The name of the secret scope.
      --key KEY                      The name of secret key.
  delete-acl    Deletes an access control rule for a principal.
    Options:
      --scope SCOPE                  The name of the scope.
      --principal PRINCIPAL          The name of the principal.
  delete-scope  Deletes a secret scope.
    Options:
      --scope SCOPE                  The name of the secret scope.
  get-acl       Gets the details for an access control rule.
    Options:
      --scope SCOPE                  The name of the secret scope.
      --principal PRINCIPAL          The name of the principal.
      --output FORMAT                JSON or TABLE. Set to TABLE by default.
  list          Lists all the secrets in a scope.
    Options:
      --scope SCOPE                  The name of the secret scope.
      --output FORMAT                JSON or TABLE. Set to TABLE by default.
  list-acls     Lists all access control rules for a given secret scope.
    Options:
      --scope SCOPE                  The name of the secret scope.
      --output FORMAT                JSON or TABLE. Set to TABLE by default.
  list-scopes   Lists all secret scopes.
      --output FORMAT                JSON or TABLE. Set to TABLE by default.
  put           Puts a secret in a scope.
    Options:
      --scope SCOPE                  The name of the secret scope.
      --key KEY                      The name of the secret key.  [required]
      --string-value TEXT            Read value from string and stored in UTF-8 (MB4) form
      --binary-file PATH             Read value from binary-file and stored as bytes.
  put-acl       Creates or overwrites an access control rule for a principal
                applied to a given secret scope.
    Options:
      --scope SCOPE                    The name of the secret scope.
      --principal PRINCIPAL            The name of the principal.
      --permission [MANAGE|WRITE|READ] The permission to apply.

创建机密范围Create a secret scope

databricks secrets create-scope --scope my-scope

列出工作区中的所有机密范围List all secret scopes in workspace

databricks secrets list-scopes

删除机密范围Delete a secret scope

databricks secrets delete-scope --scope my-scope

在机密范围内创建或更新机密Create or update a secret in a secret scope

可通过三种方式存储机密。There are three ways to store a secret. 最简单的方法是使用 --string-value 选项;机密将以 UTF-8 (MB4) 格式存储。The easiest way is to use the --string-value option; the secret will be stored in UTF-8 (MB4) form. 你应谨慎使用此选项,因为你的机密可能以纯文本形式存储在你的命令行历史记录中。You should be careful with this option, because your secret may be stored in your command line history in plain text.

databricks secrets put --scope my-scope --key my-key --string-value my-value

你还可以使用 --binary-file 选项提供存储在文件中的机密。You can also use the --binary-file option to provide a secret stored in a file. 将按原样读取文件内容并将其以字节形式存储。The file content will be read as is and stored as bytes.

databricks secrets put --scope my-scope --key my-key --binary-file my-secret.txt

如果你未指定这两个选项中的任何一个,系统会打开编辑器供你输入机密。If you don’t specify any of the two options, an editor will be opened for you to enter your secret. 请按照编辑器上显示的说明输入机密。Follow the instructions shown on the editor to enter your secret.

databricks secrets put --scope my-scope --key my-key

列出机密范围内存储的机密List secrets stored within the secret scope

databricks secrets list --scope my-scope

没有用于从 CLI 获取机密的界面。There is no interface to get secrets from the CLI. 必须使用 Databricks 笔记本中的 Databricks 实用工具机密实用工具界面来访问机密。You must use the Databricks Utilities secret utilities interface within a Databricks notebook to access your secret.

删除机密范围内的机密Delete a secret in a secret scope

databricks secrets delete --scope my-scope --key my-key

授予或更改主体的 ACLGrant or change ACL for a principal

databricks secrets put-acl --scope my-scope --principal principal --permission MANAGE

列出机密范围内的 ACLList ACLs in a secret scope

databricks secrets list-acls --scope my-scope

获取机密范围内主体的 ACLGet ACL for a principal in a secret scope

databricks secrets get-acl --scope my-scope --principal principal

撤销主体的 ACLRevoke ACL for a principal

databricks secrets delete-acl --scope my-scope --principal principal