Creating Azure database key vault backed scope - Scope with Azure KeyVault must have userAADToken defined

Question

I am trying to create Azure databricks scope programatically as I found that once a scope has been created, databricks will not be able to see any secrets created in Key vault after the scope has been created.

According to the Ms documentation, this can be done programmatically, see here.

I am doing this from a powershell terminal.

databricks secrets create-scope --scope my_scope --scope-backend-type AZURE_KEYVAULT --resource-id "/subscriptions/xxxx/resourceGroups/my-rg/providers/Microsoft.KeyVault/vaults/my-db-kv" --dns-name "https://my-db-kv.vault.azure.net/" --initial-manage-principal users

I then get the error.

Error: b'{"error_code":"INVALID_PARAMETER_VALUE","message":"Scope with Azure KeyVault must have userAADToken defined!"}'PS

score 0 · Answer 1 · answered May 11 '23 at 07:45

I tried to create Azure Key vault backed scope using Databricks CLI using below command:

databricks secrets create-scope --scope keyscope --scope-backend-type AZURE_KEYVAULT --resource-id "<rosourceId>" --dns-name https:<KeyVaultDNSName>

I got the below error:

enter image description here

As per this it is a limitation of Azure Databricks workspace. You can create Azure Key vault backed scope using https://<databricksinstance>#secrets/createScope URI. Copy the values of resource Id and key vault URI from Key Vault properties tab:

enter image description here

Pase them at above URI and click on create, the scope will add successfully:

enter image description here

Creating Azure database key vault backed scope - Scope with Azure KeyVault must have userAADToken defined

1 Answers1