机密 CLI(旧)

重要

本文档已过时,将来可能不会更新。

此信息适用于旧版 Databricks CLI 0.18 及更低版本。 Databricks 建议改用较新的 Databricks CLI 0.205 或更高版本。 请参阅什么是 Databricks CLI?。 若要查找你的 Databricks CLI 的版本,请运行 databricks -v

要从 Databricks CLI 版本 0.18 或更低版本迁移到 Databricks CLI 版本 0.205 或更高版本,请参阅 Databricks CLI 迁移

可以通过将 Databricks 机密 CLI 子命令附加到 databricks secrets 来运行这些命令。 这些子命令调用机密 API

有关机密的详细信息,请参阅机密管理

注意

机密 CLI 需要 Databricks CLI 0.7.1 或更高版本。

databricks secrets --help
Usage: databricks secrets [OPTIONS] COMMAND [ARGS]...

  Utility to interact with secret API.

Options:
  -v, --version   [VERSION]
  --profile TEXT  CLI connection profile to use. The default profile is
                  "DEFAULT".
  -h, --help      Show this message and exit.

Commands:
  create-scope  Creates a secret scope.
    Options:
      --scope SCOPE                  The name of the secret scope.
      --initial-manage-principal     The initial principal that can manage the created secret scope.
                                      If specified, the initial ACL with MANAGE permission applied
                                      to the scope is assigned to the supplied principal (user or group).
                                      The only supported principal is the group
                                      "users", which contains all users in the workspace. If not
                                      specified, the initial ACL with MANAGE permission applied to
                                      the scope is assigned to request issuer's user identity.
  delete        Deletes a secret.
    Options:
      --scope SCOPE                  The name of the secret scope.
      --key KEY                      The name of secret key.
  delete-acl    Deletes an access control rule for a principal.
    Options:
      --scope SCOPE                  The name of the scope.
      --principal PRINCIPAL          The name of the principal.
  delete-scope  Deletes a secret scope.
    Options:
      --scope SCOPE                  The name of the secret scope.
  get-acl       Gets the details for an access control rule.
    Options:
      --scope SCOPE                  The name of the secret scope.
      --principal PRINCIPAL          The name of the principal.
      --output FORMAT                JSON or TABLE. Set to TABLE by default.
  list          Lists all the secrets in a scope.
    Options:
      --scope SCOPE                  The name of the secret scope.
      --output FORMAT                JSON or TABLE. Set to TABLE by default.
  list-acls     Lists all access control rules for a given secret scope.
    Options:
      --scope SCOPE                  The name of the secret scope.
      --output FORMAT                JSON or TABLE. Set to TABLE by default.
  list-scopes   Lists all secret scopes.
      --output FORMAT                JSON or TABLE. Set to TABLE by default.
  put           Puts a secret in a scope.
    Options:
      --scope SCOPE                  The name of the secret scope.
      --key KEY                      The name of the secret key.
      --string-value TEXT            Read value from string and stored in UTF-8 (MB4) form
      --binary-file PATH             Read value from binary-file and stored as bytes.
  put-acl       Creates or overwrites an access control rule for a principal
                applied to a given secret scope.
    Options:
      --scope SCOPE                    The name of the secret scope.
      --principal PRINCIPAL            The name of the principal.
      --permission [MANAGE|WRITE|READ] The permission to apply.
  write         Puts a secret in a scope. "write" is an alias for "put".
    Options:
      --scope SCOPE                  The name of the secret scope.
      --key KEY                      The name of the secret key.
      --string-value TEXT            Read value from string and stored in UTF-8 (MB4) form
      --binary-file PATH             Read value from binary-file and stored as bytes.
  write-acl     Creates or overwrites an access control rule for a principal
                applied to a given secret scope. "write-acl" is an alias for
                "put-acl".
    Options:
      --scope SCOPE                    The name of the secret scope.
      --principal PRINCIPAL            The name of the principal.
      --permission [MANAGE|WRITE|READ] The permission to apply.

创建机密范围

若要显示使用情况文档,请运行 databricks secrets create-scope --help

databricks secrets create-scope --scope my-scope

如果成功,则不显示任何输出。

若要使用 Databricks CLI 创建 Azure Key Vault 支持的机密范围,请运行 databricks secrets create-scope --help 以显示有关其他 --scope-backend-type--resource-id--dns-name 选项的信息。 有关详细信息,请参阅机密管理

删除机密

若要显示使用情况文档,请运行 databricks secrets delete --help

databricks secrets delete --scope my-scope --key my-key

如果成功,则不显示任何输出。

撤销主体的 ACL

若要显示使用情况文档,请运行 databricks secrets delete-acl --help

databricks secrets delete-acl --scope my-scope --principal someone@example.com

如果成功,则不显示任何输出。

删除机密范围

若要显示使用情况文档,请运行 databricks secrets delete-scope --help

databricks secrets delete-scope --scope my-scope

如果成功,则不显示任何输出。

获取主体的 ACL

若要显示使用情况文档,请运行 databricks secrets get-acl --help

databricks secrets get-acl --scope my-scope --principal someone@example.com --output JSON
{
  "principal": "sonmeone@example.com",
  "permission": "MANAGE"
}

列出机密范围内存储的密钥

若要显示使用情况文档,请运行 databricks secrets list --help

databricks secrets list --scope my-scope --output JSON
{
  "secrets": [
    {
      "key": "my-key",
      "last_updated_timestamp": 1621284092605
    }
  ]
}

注意

不能使用 Databricks CLI 访问机密值。 若要访问机密值,必须使用 Databricks 笔记本中的 Databricks 实用工具机密实用工具

列出机密范围内的 ACL

若要显示使用情况文档,请运行 databricks secrets list-acls --help

databricks secrets list-acls --scope my-scope --output JSON
{
  "items": [
    {
      "principal": "someone@example.com",
      "permission": "MANAGE"
    }
  ]
}

列出工作区中所有可用的机密范围

若要显示使用情况文档,请运行 databricks secrets list-scopes --help

databricks secrets list-scopes --output JSON
{
  "scopes": [
    {
      "name": "my-scope",
      "backend_type": "DATABRICKS"
    }
  ]
}

创建或更新机密

若要显示使用情况文档,请运行 databricks secrets put --helpdatabricks secrets write --help

可通过三种方式存储机密。 最简单的方法是使用 --string-value 选项;机密将以 UTF-8 (MB4) 格式存储。 你应谨慎使用此选项,因为你的机密可能以纯文本形式存储在你的命令行历史记录中。

databricks secrets put --scope my-scope --key my-key --string-value my-value

或:

databricks secrets write --scope my-scope --key my-key --string-value my-value

如果成功,则不显示任何输出。

你还可以使用 --binary-file 选项提供存储在文件中的机密。 将按原样读取文件内容并将其以字节形式存储。

databricks secrets put --scope my-scope --key my-key --binary-file my-secret.txt

或:

databricks secrets write --scope my-scope --key my-key --binary-file my-secret.txt

如果成功,则不显示任何输出。

如果未指定其中一个选项,系统会打开编辑器供你输入机密。 请按照编辑器中显示的说明输入机密。

databricks secrets put --scope my-scope --key my-key

或:

databricks secrets write --scope my-scope --key my-key

# ----------------------------------------------------------------------
# Do not edit the above line. Everything below it will be ignored.
# Please input your secret value above the line. Text will be stored in
# UTF-8 (MB4) form and any trailing new line will be stripped.
# Exit without saving will abort writing secret.

授予主体的 ACL 或将其更改为机密范围

若要显示使用情况文档,请运行 databricks secrets put-acl --helpdatabricks secrets write-acl --help

databricks secrets put-acl --scope my-scope --principal someone@example.com --permission MANAGE

或:

databricks secrets write-acl --scope my-scope --principal someone@example.com --permission MANAGE

如果成功,则不显示任何输出。