Scope with Azure KeyVault must have userAADToken defined

[tonswart]

Add-DatabricksSecretScope -BearerToken "dapi" -Region "westeurope" -ScopeName "key-vault-secrets" -KeyVaultResourceId "/subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/" -AllUserAccess

Results in an error: Invoke-RestMethod : {"error_code":"INVALID_PARAMETER_VALUE","message":"Scope with Azure KeyVault must have userAADToken defined!"}

[simondmorias]

Yep (and agreed this is an issue) I've had to remove this from the latest version. Databricks are changing the API and will not commit to the final state until Key Vault backed scopes comes out of Preview. I've no timescales yet. In the meantime if you need these I would deploy them manually - the CLI or REST API do not support them yet.

[bilalAchahbar]

This still gives an error. Any timescale when this will be fixed :( the azure.databricks.cicd.tools helped me a lot in my Continuous deployment pipelines and I want to restrict the manual processes as little as possible.

[simondmorias]

Microsoft are claiming this works now: https://docs.microsoft.com/en-us/azure/databricks/release-notes/product/2020/october#use-the-databricks-cli-or-the-databricks-api-to-create-azure-key-vault-backed-secret-scopes

However it does not. I've opened a support case and been told that Create Scope only works with Bearer tokens, but Key Vault Backed Scopes require you to use AAD. Go figure. Also raised as an issue with the docs here: https://github.com/MicrosoftDocs/azure-docs/issues/65000#issuecomment-716517977

[simondmorias]

Cross referencing #77 as these are the same issue. Basically AAD auth only works for users, not service principals. It's "on the backlog".

[hanghan93]

Hi All, I'm using a standard tier, while creating a scope using CLI I'm getting below error.

databricks secrets create-scope --scope datalake --scope-backend-type AZURE_KEYVAULT --resource-id /subscriptions/@@>/resourceGroups/hardikpocs/providers/Microsoft.KeyVault/vaults/<@@ --dns-name https://<@@>.vault.azure.net/ --initial-manage-principal users Error: b'{"error_code":"INVALID_PARAMETER_VALUE","message":"Scope with Azure KeyVault must have userAADToken defined!"}'

[simondmorias]

You are using the official cli. This repo is for the Powershell module. I suggest you contact Databricks.

---

From: Hardik Anghan @.> Sent: Sunday, March 21, 2021 6:33:19 AM To: DataThirstLtd/azure.databricks.cicd.tools @.> Cc: Simon D'Morias @.>; Assign @.> Subject: Re: [DataThirstLtd/azure.databricks.cicd.tools] Scope with Azure KeyVault must have userAADToken defined (#43)

Hi All, I'm using a standard tier, while creating a scope using CLI I'm getting below error.

databricks secrets create-scope --scope datalake --scope-backend-type AZURE_KEYVAULT --resource-id /subscriptions//resourceGroups/hardikpocs/providers/Microsoft.KeyVault/vaults/kv-hardikpocs --dns-name https://.vault.azure.net/ --initial-manage-principal users Error: b'{"error_code":"INVALID_PARAMETER_VALUE","message":"Scope with Azure KeyVault must have userAADToken defined!"}'

— You are receiving this because you were assigned. Reply to this email directly, view it on GitHubhttps://github.com/DataThirstLtd/azure.databricks.cicd.tools/issues/43#issuecomment-803521069, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ADBMOSAJPA5FDJNH4FDNVJ3TEWHK7ANCNFSM4G33BB2A.

[bngom]

Still having this issue !

databricks secrets create-scope --scope demo --scope-backend-type AZURE_KEYVAULT --resource-id $vaultId --dns-name $vaultUri
Error: b'{"error_code":"INVALID_PARAMETER_VALUE","message":"Scope with Azure KeyVault must have userAADToken defined!"}'

[vinit2580]

I am trying to create azure key vault scope in databricks but having below issue. Anyone has any idea about it ?

[chandrunatarajan]

Hi @simondmorias , I saw your previous post as UserAADToken still in backlog items which is posted last year. Is it fixed now? I need to automate the keyvault backed secret scope creation in azure devops pipeline. If you have any other option, please let me know. thanks for your time and help.

[dataengine01]

11 months on and still no fix. seems like a important feature to link Azure Key Vault to Databricks. how do we escalate these problems to the Core team

[byronbayer]

This is such a requested feature, how is this not fixed yet? Please try and sort this out so we can automate our deployments

[simondmorias]

It’s a Databricks api limitation. I can’t work around it as they control the api.

On 22 Aug 2022, at 19:32, Jay Freeman @.***> wrote:



This is such a requested feature, how is this not fixed yet? Please try and sort this out so we can automate our deployments

— Reply to this email directly, view it on GitHubhttps://github.com/DataThirstLtd/azure.databricks.cicd.tools/issues/43#issuecomment-1222761744, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ADBMOSAQ63GPYVJ3SB4YI6LV2PBS3ANCNFSM4G33BB2A. You are receiving this because you were mentioned.Message ID: @.***>

[Basem-Gaber]

Any updates on this ? I am facing same issue today