search

MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure
https://docs.microsoft.com/azure
Creative Commons Attribution 4.0 International
10.29k stars 21.47k forks source link

Keyvault Access Policy IAM blocks retrieving secrets #98803

Closed spencekile closed 1 year ago

spencekile commented 2 years ago

Keyvault Access Policy IAM blocks retrieving secrets

There is no mention of access policies or RBAC assignments to allow the databricks instance to retrieve the secret values. I have just run into the situation where if the keyvault access configuration is set to "Azure role-based access control", any attempts to retrieve the secret fail with "INVALID_STATE: Databricks could not access keyvault: https://xxxxxxx.vault.azure.net/". This seems to be vaguely documented here: https://learn.microsoft.com/en-us/azure/databricks/kb/security/troubleshoot-key-vault-access, but the problem is the access configuration isn't set to access policies.

When the keyvault access configuration is set to "Vault access policy", then when the secret-scope is created, an access policy is generated for Get, List automatically. This allows secret retrieval to succeed with no issues.

It would be helpful to have this documented or notify the team to update the processes behind the scenes to create the role-based access control entry depending on the keyvault access configuration setting.

Spence Kile spence.kile@acuitybrands.com

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

RamanathanChinnappan-MSFT commented 2 years ago

@spencekile

Thanks for your feedback! We will investigate and update as appropriate.

Naveenommi-MSFT commented 2 years ago

@spencekile

Thanks for your feedback! I've assigned this issue to the author who will investigate and update as appropriate.

kateglee-db commented 1 year ago

Thanks for your dedication to our documentation. Unfortunately, we have been unable to review your issue and apologize for the delayed response. The requested updates have not yet been made. The timeline for resolution varies based on resourcing. We've created an internal work item (DOC-7181) to incorporate your suggestions. We are closing this issue for now, but feel free to comment here as necessary.

please-close

prmerger-automator[bot] commented 1 year ago

Invalid command: '#please-close'. Only Microsoft employees can use this command.

JasonWHowell commented 1 year ago

please-close