Database passwords, API keys, storage account connection strings — are you still hard-coding these credentials into notebook cells or job configurations?Secret Scope is the Databricks-native secret management feature that separates credentials from code and lets you retrieve them safely with dbutils.secrets.get. Retrieved values are automatically replaced with [REDACTED] in notebook output, which reduces the risk of leaks during screen sharing or notebook export.
This article compares the two Secret Scope backends (Databricks-backed and Key Vault-backed), walks through CLI/API management, shows Python usage patterns, covers ACL design, and highlights the points tested on the Data Engineer Associate and Professional exams.
A Secret Scope is a logical container for secrets. Each Scope holds multiple keys (secrets), and ACLs are configured per Scope. The structure looks like this:
Secret Scope: "production-secrets"
├── key: "db-password" → value: "P@ssw0rd123"
├── key: "api-key" → value: "sk-abc123..."
└── key: "storage-account" → value: "DefaultEndpoints..."
Secret Scope: "development-secrets"
├── key: "db-password" → value: "dev-password"
└── key: "api-key" → value: "sk-dev..."
# Use from a notebook
password = dbutils.secrets.get(scope="production-secrets", key="db-password")
# → The value is bound to the variable, but print(password) shows [REDACTED]Because each secret is uniquely identified by (Scope name, Key name), a common pattern is to create one Scope per environment (production / development / staging) and reuse the same key names across them. You can switch environments just by changing the Scope name, without touching the code.
| Aspect | Databricks-backed Scope | Key Vault / Secrets Manager-backed Scope |
|---|---|---|
| Where secrets are stored | Databricks internal encrypted storage | Azure Key Vault / AWS Secrets Manager |
| How to create | Databricks CLI / Secrets API | Databricks CLI + Key Vault/SM configuration |
| Secret management | Add / update / delete on the Databricks side | Managed on the Key Vault / Secrets Manager side |
| ACL control | Databricks ACLs (MANAGE/READ/WRITE) | Key Vault/SM access policies + Databricks ACLs |
| Cloud dependency | None (multi-cloud friendly) | Tied to a specific cloud |
| Audit logs | Databricks audit logs only | Recorded in both Databricks and Key Vault/SM |
| Rotation | Manual update via the Secrets API | Can leverage Key Vault/SM automatic rotation |
| Recommended use case | Environments where everything happens inside Databricks | Environments with a company-wide secret management platform |
Here are the Databricks CLI commands for managing Secret Scopes and secrets.
# Create a Scope
databricks secrets create-scope --scope production-secrets
# Add a secret (value is entered at the prompt)
databricks secrets put-secret --scope production-secrets --key db-password
# Add a secret (pass the value directly as a string)
databricks secrets put-secret --scope production-secrets \
--key api-key --string-value "sk-abc123..."
# List Scopes
databricks secrets list-scopes
# List keys in a Scope (values are not shown)
databricks secrets list-secrets --scope production-secrets
# Delete a secret
databricks secrets delete-secret --scope production-secrets --key api-key
# Delete a Scope (also deletes all secrets under it)
databricks secrets delete-scope --scope production-secrets# Create an Azure Key Vault-backed Scope
databricks secrets create-scope --scope kv-production \
--scope-backend-type AZURE_KEYVAULT \
--resource-id "/subscriptions/<sub_id>/resourceGroups/<rg>/providers/Microsoft.KeyVault/vaults/<vault_name>" \
--dns-name "https://<vault_name>.vault.azure.net/"
# For Key Vault-backed Scopes, add/update/delete happens on the Key Vault side.
# From Databricks, only READ via dbutils.secrets.get is allowed.# List Scopes via the REST API
curl -X GET "https://<workspace_url>/api/2.0/secrets/scopes/list" \
-H "Authorization: Bearer <token>"
# Add a secret via the REST API
curl -X POST "https://<workspace_url>/api/2.0/secrets/put" \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"scope": "production-secrets",
"key": "db-password",
"string_value": "P@ssw0rd123"
}'Here are common implementation patterns for using secrets inside notebooks and jobs.
# Pattern 1: JDBC database connection
jdbc_url = "jdbc:postgresql://prod-db.example.com:5432/analytics"
username = dbutils.secrets.get(scope="production-secrets", key="db-username")
password = dbutils.secrets.get(scope="production-secrets", key="db-password")
df = (spark.read
.format("jdbc")
.option("url", jdbc_url)
.option("dbtable", "public.orders")
.option("user", username)
.option("password", password)
.load())
# Pattern 2: External API request
import requests
api_key = dbutils.secrets.get(scope="production-secrets", key="api-key")
response = requests.get(
"https://api.example.com/data",
headers={"Authorization": f"Bearer {api_key}"}
)
# Pattern 3: Azure Storage connection (via Spark Config)
storage_key = dbutils.secrets.get(scope="production-secrets", key="storage-key")
spark.conf.set(
"fs.azure.account.key.mystorageaccount.dfs.core.windows.net",
storage_key
)
df = spark.read.parquet("abfss://[email protected]/data/")Databricks automatically replaces values fetched via dbutils.secrets.get with [REDACTED] whenever they would appear in a notebook output cell. This applies not only in the notebook UI but also in job output logs and the result of the display() function.
# Running the code below produces...
password = dbutils.secrets.get(scope="production-secrets", key="db-password")
print(password)
# → Notebook output: [REDACTED]
print(f"Password is: {password}")
# → Notebook output: Password is: [REDACTED]
# But the value still works as a normal variable
# JDBC connections and API calls can use it without issuesSecret Redaction is purely display-side masking — the secret value still exists in memory. It does not fully protect against malicious code that, for example, prints the secret one character at a time. That is why it is critical to combine it with Secret Scope ACLs to control who can access which Scope.
ACLs can be configured per Secret Scope (Premium plan or above). There are three permission levels.
| Permission level | What you can do | Example grantees |
|---|---|---|
| MANAGE | Change ACLs, add/delete/read secrets, change Scope configuration | Administrators, the Scope creator |
| WRITE | Add/update secrets (read is also allowed) | Service principals used by CI/CD pipelines |
| READ | Read secrets via dbutils.secrets.get | Service principals for job execution, developers |
# Configure ACLs (Databricks CLI)
databricks secrets put-acl --scope production-secrets \
--principal data-engineers --permission READ
databricks secrets put-acl --scope production-secrets \
--principal cicd-sp --permission WRITE
# List ACLs
databricks secrets list-acls --scope production-secrets
# Delete an ACL
databricks secrets delete-acl --scope production-secrets \
--principal data-engineersSecret Scopes show up on both the Data Engineer Associate and Professional exams. Make sure you are comfortable with these recurring patterns:
[REDACTED] is shown (Secret Redaction)dbutils.secrets.get(scope=..., key=...)dbutils.secrets.list()" → a list of key names (no values; metadata only)Data Engineer / Security
問題 1
A data engineer calls dbutils.secrets.get(scope='prod', key='db-pass') in a notebook and prints the returned value with print(). What is displayed in the notebook output cell?
正解: B
Values fetched via dbutils.secrets.get are automatically replaced with [REDACTED] when rendered in a notebook output cell — this is Secret Redaction. It applies to print(), display(), and f-string interpolation alike. The value is never shown in plain text or as a hash, and no error is raised. The variable still holds the correct value in memory, so JDBC connections and API calls continue to work normally.
Should I choose a Databricks-backed Scope or a Key Vault-backed Scope?
If your organization already centralizes secrets in Azure Key Vault or AWS Secrets Manager, choose a Key Vault-backed Scope (or Secrets Manager-backed Scope) and integrate with the existing system. If you manage secrets only inside Databricks, or want to stay cloud-agnostic in a multi-cloud setup, a Databricks-backed Scope is the better fit. With Key Vault-backed Scopes, secret lifecycle operations (create/update/delete) happen on the Key Vault side, and Databricks only has READ access.
What is Secret Redaction? Can I see secret values in a notebook?
Secret Redaction is a security feature that automatically replaces secret values fetched via dbutils.secrets.get with [REDACTED] whenever they would be displayed in a notebook output cell. Calling print() or display() on a secret renders [REDACTED] on screen, which prevents accidental leaks when sharing notebooks. The secret value still works normally as a variable in code, so API calls and DB connections still work.
Who can configure Secret Scope ACLs (MANAGE/READ/WRITE)?
ACLs on a Secret Scope are configured by users with the MANAGE permission. The Scope creator automatically receives MANAGE. MANAGE holders can change ACLs and add/delete/list secrets. READ allows reading secrets via dbutils.secrets.get, and WRITE allows adding/updating secrets. Fine-grained ACLs require the Premium plan or above; on Standard and below, ACLs are unavailable and every user can access every Scope.
Practice with certification-focused question sets
無料で問題を解いてみるNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
Databricks Certifications: All 7 Exams, Difficulty & Study Plan (2026)
Complete guide to all 7 Databricks certifications — Data Eng...
Databricks Exam Difficulty Ranking: All 7 Certs Compared (2026)
Every Databricks certification ranked by difficulty, with st...
Databricks Study Guide: Fastest Pass Route & Time Estimates (2026)
How to pass Databricks certifications efficiently. Official ...
Databricks Data Engineer Associate: Complete Guide (2026)
Domain-by-domain breakdown of the Databricks Certified Data ...
Databricks Data Engineer Professional: Complete Guide (2026)
Tactics for the Databricks Certified Data Engineer Professio...