From c2824fa554880f527e912e9936d8bb52069d30a1 Mon Sep 17 00:00:00 2001 From: Anton Nekipelov <226657+anton-107@users.noreply.github.com> Date: Mon, 12 May 2025 17:07:57 +0200 Subject: [PATCH 01/13] example bundle that creates and uses a secret scope --- knowledge_base/job_read_secret/README.md | 32 ++++++++++++++ knowledge_base/job_read_secret/databricks.yml | 43 +++++++++++++++++++ .../jobs/example_spark_python_task.py | 29 +++++++++++++ 3 files changed, 104 insertions(+) create mode 100644 knowledge_base/job_read_secret/README.md create mode 100644 knowledge_base/job_read_secret/databricks.yml create mode 100644 knowledge_base/job_read_secret/jobs/example_spark_python_task.py diff --git a/knowledge_base/job_read_secret/README.md b/knowledge_base/job_read_secret/README.md new file mode 100644 index 00000000..79ef70a0 --- /dev/null +++ b/knowledge_base/job_read_secret/README.md @@ -0,0 +1,32 @@ +# Databricks job that reads a secret from a secret scope + +This example demonstrates how to define a secret scope and a job/task that reads from it in a Databricks Asset Bundle. + +It includes and deploys an example secret scope, a job managed by DABs and a task that reads a secret from the secret scope to a Databricks workspace. + +For more information about Databricks Secrets, please refer to the [documentation](https://docs.databricks.com/aws/en/security/secrets). + +## Prerequisites + +* Databricks CLI v0.252.0 or above + +## Usage + +Modify `databricks.yml`: +* Update the `host` field under `workspace` to the Databricks workspace to deploy to. +* Change the name of the secret scope under the `secret_scopes` field. + +Run `databricks bundle deploy` to deploy the bundle. + +Run a script to write a secret to the secret scope: + +``` +SECRET_SCOPE_NAME=$(databricks bundle summary -o json | jq -r '.resources.secret_scopes.my_secret_scope.name') + +databricks secrets put-secret ${SECRET_SCOPE_NAME} example-key --string-value example-value --profile ${DATABRICKS_PROFILE} +``` + +Run the job: +``` +databricks bundle run example_python_job +``` \ No newline at end of file diff --git a/knowledge_base/job_read_secret/databricks.yml b/knowledge_base/job_read_secret/databricks.yml new file mode 100644 index 00000000..f111bc9f --- /dev/null +++ b/knowledge_base/job_read_secret/databricks.yml @@ -0,0 +1,43 @@ +bundle: + name: job-read-secret-example + +# workspace: +# host: https://myworkspace.cloud.databricks.com + +resources: + secret_scopes: + my_secret_scope: + name: secrets-scope-1 + permissions: + - level: CAN_VIEW + group_name: users + - level: CAN_MANAGE + group_name: admins + jobs: + example_python_job: + name: "example-python-job" + parameters: + - name: "scope_name" + default: ${resources.secret_scopes.my_secret_scope.name} + tasks: + - task_key: example_python_task + spark_python_task: + python_file: "jobs/example_spark_python_task.py" + parameters: + - --scope_name={{job.parameters.scope_name}} + +# Defines the targets for this bundle. +# Targets allow you to deploy the same bundle to different Databricks workspaces. +targets: + dev: + # This target is for development purposes. + # It defaults to the current Databricks workspace. + default: true + resources: + secret_scopes: + my_secret_scope: + name: ${workspace.current_user.short_name}-my-secrets + jobs: + example_python_job: + name: "${workspace.current_user.short_name}-example-python-job" + \ No newline at end of file diff --git a/knowledge_base/job_read_secret/jobs/example_spark_python_task.py b/knowledge_base/job_read_secret/jobs/example_spark_python_task.py new file mode 100644 index 00000000..0a100404 --- /dev/null +++ b/knowledge_base/job_read_secret/jobs/example_spark_python_task.py @@ -0,0 +1,29 @@ +#!/usr/bin/env python + +import os +from datetime import datetime +import argparse + +def main(): + # Get current timestamp + now = datetime.now().strftime("%Y-%m-%d %H:%M:%S") + + # Print job information + print(f"Example Python job started at: {now}") + + # Read a secret from a passed secret scope + try: + parser = argparse.ArgumentParser() + parser.add_argument("-s", "--scope_name", help="Name of the secret scope") + args = parser.parse_args() + scope_name = args.scope_name + + secret_value = dbutils.secrets.get(scope=scope_name, key="example-key") + print(f"Successfully retrieved secret. First few characters: {secret_value[:3]}***") + except Exception as e: + print(f"Could not access secret: {str(e)}") + + print("Example Python job completed successfully") + +if __name__ == "__main__": + main() \ No newline at end of file From 10dda4eae6f7aece8066dca454defa556609766b Mon Sep 17 00:00:00 2001 From: Anton Nekipelov <226657+anton-107@users.noreply.github.com> Date: Mon, 12 May 2025 17:26:24 +0200 Subject: [PATCH 02/13] ruff format --- .../jobs/example_spark_python_task.py | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/knowledge_base/job_read_secret/jobs/example_spark_python_task.py b/knowledge_base/job_read_secret/jobs/example_spark_python_task.py index 0a100404..013f6bcb 100644 --- a/knowledge_base/job_read_secret/jobs/example_spark_python_task.py +++ b/knowledge_base/job_read_secret/jobs/example_spark_python_task.py @@ -4,26 +4,30 @@ from datetime import datetime import argparse + def main(): # Get current timestamp now = datetime.now().strftime("%Y-%m-%d %H:%M:%S") - + # Print job information print(f"Example Python job started at: {now}") - + # Read a secret from a passed secret scope try: parser = argparse.ArgumentParser() parser.add_argument("-s", "--scope_name", help="Name of the secret scope") args = parser.parse_args() scope_name = args.scope_name - + secret_value = dbutils.secrets.get(scope=scope_name, key="example-key") - print(f"Successfully retrieved secret. First few characters: {secret_value[:3]}***") + print( + f"Successfully retrieved secret. First few characters: {secret_value[:3]}***" + ) except Exception as e: print(f"Could not access secret: {str(e)}") - + print("Example Python job completed successfully") + if __name__ == "__main__": - main() \ No newline at end of file + main() From 39895b6a637141313c088f97f777e6ecb1da89c8 Mon Sep 17 00:00:00 2001 From: Anton Nekipelov <226657+anton-107@users.noreply.github.com> Date: Thu, 15 May 2025 11:53:31 +0200 Subject: [PATCH 03/13] Update knowledge_base/job_read_secret/README.md Co-authored-by: Julia Crawford (Databricks) --- knowledge_base/job_read_secret/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/knowledge_base/job_read_secret/README.md b/knowledge_base/job_read_secret/README.md index 79ef70a0..6851d62c 100644 --- a/knowledge_base/job_read_secret/README.md +++ b/knowledge_base/job_read_secret/README.md @@ -1,6 +1,6 @@ # Databricks job that reads a secret from a secret scope -This example demonstrates how to define a secret scope and a job/task that reads from it in a Databricks Asset Bundle. +This example demonstrates how to define a secret scope and a job with a task that reads from it in a Databricks Asset Bundle. It includes and deploys an example secret scope, a job managed by DABs and a task that reads a secret from the secret scope to a Databricks workspace. From 14b9682ea509403968c708efe3a0447b870b0a0c Mon Sep 17 00:00:00 2001 From: Anton Nekipelov <226657+anton-107@users.noreply.github.com> Date: Thu, 15 May 2025 11:53:55 +0200 Subject: [PATCH 04/13] Update knowledge_base/job_read_secret/README.md Co-authored-by: Julia Crawford (Databricks) --- knowledge_base/job_read_secret/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/knowledge_base/job_read_secret/README.md b/knowledge_base/job_read_secret/README.md index 6851d62c..affcf3b0 100644 --- a/knowledge_base/job_read_secret/README.md +++ b/knowledge_base/job_read_secret/README.md @@ -4,7 +4,7 @@ This example demonstrates how to define a secret scope and a job with a task tha It includes and deploys an example secret scope, a job managed by DABs and a task that reads a secret from the secret scope to a Databricks workspace. -For more information about Databricks Secrets, please refer to the [documentation](https://docs.databricks.com/aws/en/security/secrets). +For more information about Databricks secrets, see the [documentation](https://docs.databricks.com/aws/en/security/secrets). ## Prerequisites From db64d4800c8c487cc15556df084c0d23738955be Mon Sep 17 00:00:00 2001 From: Anton Nekipelov <226657+anton-107@users.noreply.github.com> Date: Thu, 15 May 2025 11:54:09 +0200 Subject: [PATCH 05/13] Update knowledge_base/job_read_secret/README.md Co-authored-by: Julia Crawford (Databricks) --- knowledge_base/job_read_secret/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/knowledge_base/job_read_secret/README.md b/knowledge_base/job_read_secret/README.md index affcf3b0..85ea1a55 100644 --- a/knowledge_base/job_read_secret/README.md +++ b/knowledge_base/job_read_secret/README.md @@ -2,7 +2,7 @@ This example demonstrates how to define a secret scope and a job with a task that reads from it in a Databricks Asset Bundle. -It includes and deploys an example secret scope, a job managed by DABs and a task that reads a secret from the secret scope to a Databricks workspace. +It includes and deploys an example secret scope, and a job with a task in a bundle that reads a secret from the secret scope to a Databricks workspace. For more information about Databricks secrets, see the [documentation](https://docs.databricks.com/aws/en/security/secrets). From 514f30515ca89b9d86f779a8ecef810f89266706 Mon Sep 17 00:00:00 2001 From: Anton Nekipelov <226657+anton-107@users.noreply.github.com> Date: Thu, 15 May 2025 12:08:28 +0200 Subject: [PATCH 06/13] Add prod target --- knowledge_base/job_read_secret/databricks.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/knowledge_base/job_read_secret/databricks.yml b/knowledge_base/job_read_secret/databricks.yml index f111bc9f..043df299 100644 --- a/knowledge_base/job_read_secret/databricks.yml +++ b/knowledge_base/job_read_secret/databricks.yml @@ -29,10 +29,14 @@ resources: # Defines the targets for this bundle. # Targets allow you to deploy the same bundle to different Databricks workspaces. targets: + prod: { + # No overrides + } dev: # This target is for development purposes. # It defaults to the current Databricks workspace. default: true + mode: development resources: secret_scopes: my_secret_scope: From b59433d05c617ba3a14fccec158f0953a65f4213 Mon Sep 17 00:00:00 2001 From: Anton Nekipelov <226657+anton-107@users.noreply.github.com> Date: Thu, 15 May 2025 12:09:19 +0200 Subject: [PATCH 07/13] remove unnecessary step from README --- knowledge_base/job_read_secret/README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/knowledge_base/job_read_secret/README.md b/knowledge_base/job_read_secret/README.md index 85ea1a55..1bf0ff9c 100644 --- a/knowledge_base/job_read_secret/README.md +++ b/knowledge_base/job_read_secret/README.md @@ -13,8 +13,7 @@ For more information about Databricks secrets, see the [documentation](https://d ## Usage Modify `databricks.yml`: -* Update the `host` field under `workspace` to the Databricks workspace to deploy to. -* Change the name of the secret scope under the `secret_scopes` field. +* Update the `host` field under `workspace` to the Databricks workspace to deploy to Run `databricks bundle deploy` to deploy the bundle. From b24820aa5344f2959b270542a42539eaea365767 Mon Sep 17 00:00:00 2001 From: Anton Nekipelov <226657+anton-107@users.noreply.github.com> Date: Thu, 15 May 2025 12:11:10 +0200 Subject: [PATCH 08/13] rename jobs/ folder to src/ --- knowledge_base/job_read_secret/databricks.yml | 2 +- .../job_read_secret/{jobs => src}/example_spark_python_task.py | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename knowledge_base/job_read_secret/{jobs => src}/example_spark_python_task.py (100%) diff --git a/knowledge_base/job_read_secret/databricks.yml b/knowledge_base/job_read_secret/databricks.yml index 043df299..2db3ff10 100644 --- a/knowledge_base/job_read_secret/databricks.yml +++ b/knowledge_base/job_read_secret/databricks.yml @@ -22,7 +22,7 @@ resources: tasks: - task_key: example_python_task spark_python_task: - python_file: "jobs/example_spark_python_task.py" + python_file: "src/example_spark_python_task.py" parameters: - --scope_name={{job.parameters.scope_name}} diff --git a/knowledge_base/job_read_secret/jobs/example_spark_python_task.py b/knowledge_base/job_read_secret/src/example_spark_python_task.py similarity index 100% rename from knowledge_base/job_read_secret/jobs/example_spark_python_task.py rename to knowledge_base/job_read_secret/src/example_spark_python_task.py From 9fdb323e849fddb11797d398a7197a3c0ea6363e Mon Sep 17 00:00:00 2001 From: Anton Nekipelov <226657+anton-107@users.noreply.github.com> Date: Thu, 15 May 2025 13:30:40 +0200 Subject: [PATCH 09/13] Update knowledge_base/job_read_secret/README.md Co-authored-by: shreyas-goenka <88374338+shreyas-goenka@users.noreply.github.com> --- knowledge_base/job_read_secret/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/knowledge_base/job_read_secret/README.md b/knowledge_base/job_read_secret/README.md index 1bf0ff9c..63f3da27 100644 --- a/knowledge_base/job_read_secret/README.md +++ b/knowledge_base/job_read_secret/README.md @@ -22,7 +22,7 @@ Run a script to write a secret to the secret scope: ``` SECRET_SCOPE_NAME=$(databricks bundle summary -o json | jq -r '.resources.secret_scopes.my_secret_scope.name') -databricks secrets put-secret ${SECRET_SCOPE_NAME} example-key --string-value example-value --profile ${DATABRICKS_PROFILE} +databricks secrets put-secret ${SECRET_SCOPE_NAME} example-key --string-value example-value ``` Run the job: From 482137aa868781e3d90aef521f2a06aebb98a50d Mon Sep 17 00:00:00 2001 From: Anton Nekipelov <226657+anton-107@users.noreply.github.com> Date: Thu, 15 May 2025 13:31:30 +0200 Subject: [PATCH 10/13] Update knowledge_base/job_read_secret/README.md Co-authored-by: shreyas-goenka <88374338+shreyas-goenka@users.noreply.github.com> --- knowledge_base/job_read_secret/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/knowledge_base/job_read_secret/README.md b/knowledge_base/job_read_secret/README.md index 63f3da27..a5157435 100644 --- a/knowledge_base/job_read_secret/README.md +++ b/knowledge_base/job_read_secret/README.md @@ -17,7 +17,7 @@ Modify `databricks.yml`: Run `databricks bundle deploy` to deploy the bundle. -Run a script to write a secret to the secret scope: +Run this script to write a secret to the secret scope. Databricks CLI commands run from inside the bundle root directory use the same authentication credentials as the bundle: ``` SECRET_SCOPE_NAME=$(databricks bundle summary -o json | jq -r '.resources.secret_scopes.my_secret_scope.name') From 7fe95ff08b95b927754d705c08d6cb83f324efdb Mon Sep 17 00:00:00 2001 From: Anton Nekipelov <226657+anton-107@users.noreply.github.com> Date: Thu, 15 May 2025 13:32:45 +0200 Subject: [PATCH 11/13] Update knowledge_base/job_read_secret/databricks.yml Co-authored-by: shreyas-goenka <88374338+shreyas-goenka@users.noreply.github.com> --- knowledge_base/job_read_secret/databricks.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/knowledge_base/job_read_secret/databricks.yml b/knowledge_base/job_read_secret/databricks.yml index 2db3ff10..473d8d9b 100644 --- a/knowledge_base/job_read_secret/databricks.yml +++ b/knowledge_base/job_read_secret/databricks.yml @@ -29,9 +29,9 @@ resources: # Defines the targets for this bundle. # Targets allow you to deploy the same bundle to different Databricks workspaces. targets: - prod: { + prod: # No overrides - } + dev: # This target is for development purposes. # It defaults to the current Databricks workspace. From fccf07a42fca9a34e1390bf974ef06c8445eccdf Mon Sep 17 00:00:00 2001 From: Anton Nekipelov <226657+anton-107@users.noreply.github.com> Date: Thu, 15 May 2025 13:33:21 +0200 Subject: [PATCH 12/13] Update knowledge_base/job_read_secret/databricks.yml Co-authored-by: shreyas-goenka <88374338+shreyas-goenka@users.noreply.github.com> --- knowledge_base/job_read_secret/databricks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/knowledge_base/job_read_secret/databricks.yml b/knowledge_base/job_read_secret/databricks.yml index 473d8d9b..3fe563aa 100644 --- a/knowledge_base/job_read_secret/databricks.yml +++ b/knowledge_base/job_read_secret/databricks.yml @@ -7,7 +7,7 @@ bundle: resources: secret_scopes: my_secret_scope: - name: secrets-scope-1 + name: prod-secrets-scope permissions: - level: CAN_VIEW group_name: users From ecb35396fd31d81e263e222d52401329b1a640c3 Mon Sep 17 00:00:00 2001 From: Anton Nekipelov <226657+anton-107@users.noreply.github.com> Date: Thu, 15 May 2025 14:53:29 +0200 Subject: [PATCH 13/13] fix the permission level keywords on the resource level --- knowledge_base/job_read_secret/databricks.yml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/knowledge_base/job_read_secret/databricks.yml b/knowledge_base/job_read_secret/databricks.yml index 3fe563aa..35b5b8fa 100644 --- a/knowledge_base/job_read_secret/databricks.yml +++ b/knowledge_base/job_read_secret/databricks.yml @@ -9,9 +9,9 @@ resources: my_secret_scope: name: prod-secrets-scope permissions: - - level: CAN_VIEW + - level: VIEW group_name: users - - level: CAN_MANAGE + - level: MANAGE group_name: admins jobs: example_python_job: @@ -29,9 +29,9 @@ resources: # Defines the targets for this bundle. # Targets allow you to deploy the same bundle to different Databricks workspaces. targets: - prod: + prod: { # No overrides - + } dev: # This target is for development purposes. # It defaults to the current Databricks workspace. @@ -41,7 +41,4 @@ targets: secret_scopes: my_secret_scope: name: ${workspace.current_user.short_name}-my-secrets - jobs: - example_python_job: - name: "${workspace.current_user.short_name}-example-python-job" \ No newline at end of file