How to Store and Manage SAP Secrets Using SAP Databricks CLI: A Developer’s Guide

[[{“value”:”

In this blog, explaining all the following commands are part of the Databricks CLI (version 0.205 and above) for handling secrets and secret scopes.

To Check your latest version – use the below command

Secrets are stored in scopes, so commands cover both. I’ve focused on those related to creating, listing, deleting, and putting (adding/updating) secrets and scopes.

Here are practical examples of managing Databricks secrets (scopes + secrets inside them) using both:

Terminal → Databricks CLI (version 0.205+ recommended in 2025–2026)
Notebook → dbutils.secrets utility (Python/Scala cells)

SCOPE: The name of the scope (alphanumeric characters, dashes, underscores, and periods; max 128 characters).

Bonus (using UI) Below endpoint is hidden and to create scope

All commands start with databricks secrets and may require appropriate permissions (e.g., WRITE or MANAGE). Use flags like –json for custom request bodies where noted. For full details, refer to the official documentation.

https://<tenantid>.cloud.databricks.com/#secrets/createScope

Create a secret scope

# Simple creation (most common)
databricks secrets create-scope s4hana-prod

# With initial manage permission for all users (useful in some orgs)
databricks secrets create-scope finance-scope --initial-manage-principal users

# Using JSON (advanced / scripting)
databricks secrets create-scope  
--json '{"scope": "finance-scope", "initial_manage_principal": "users"}'

Put / create or update a secret (two main ways)

databricks secrets put-secret s4hana-prod api-token
# → editor opens → paste your long token → Ctrl+S → Enter → Ctrl+X

Direct string value:

databricks secrets put-secret s4hana-prod db-password --string-value "SuperSecretPass123!"

Bytes / binary value:

databricks secrets put-secret s4hana-prod cert-pem --bytes-value "$(cat mycert.pem | base64)"

Multi-line secret via pipe:

cat << EOF | databricks secrets put-secret s4hana-prod private-key
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC...
-----END PRIVATE KEY-----
EOF

JSON style (good for automation):

databricks secrets put-secret --json '{
  "scope": "s4hana-prod",
  "key": "snowflake-token",
  "string_value": "oabc123xyz..."
}'

List all secret scopes

databricks secrets list-scopes

List secrets (keys only – values never shown)

databricks secrets list-secrets s4hana-prod

Delete a single secret

databricks secrets delete-secret s4hana-prod db-password

Delete entire scope (careful – irreversible!)

databricks secrets delete-scope finance-scope

Notebook Examples (using dbutils.secrets)

List all available scopes

display(dbutils.secrets.listScopes())

List keys inside one scope (metadata only)

display(dbutils.secrets.list("s4hana-prod"))

Read / use a secret (most common usage)

# Basic retrieval
api_token = dbutils.secrets.get(scope="s4hana-prod", key="api-token")
print("Token length:", len(api_token))   # never print the real value!

# Real-world example: read from Snowflake / database / storage
snowflake_password = dbutils.secrets.get("s4hana-prod", "snowflake-password")

df = spark.read 
  .format("snowflake") 
  .option("sfURL", "youraccount.snowflakecomputing.com") 
  .option("sfDatabase", "PROD_DB") 
  .option("sfSchema", "PUBLIC") 
  .option("sfWarehouse", "COMPUTE_WH") 
  .option("sfRole", "SYSADMIN") 
  .option("user", "svc_databricks") 
  .option("password", snowflake_password) 
  .option("dbtable", "sales") 
  .load()

display(df.limit(10))

Bonus: get as bytes (rare – keys, certs)

cert_bytes = dbutils.secrets.getBytes(scope="s4hana-prod", key="cert-pem")
print(type(cert_bytes))          # → <class 'bytes'>
print(len(cert_bytes))           # size in bytes
# cert_str = cert_bytes.decode("utf-8")   # if you need string

Quick Workflow Summary (most common pattern)

Terminal (one-time setup / CI/CD):

databricks secrets create-scope s4hana-prod
databricks secrets put-secret s4hana-prod service-principal-secret   # interactive
databricks secrets put-secret s4hana-prod storage-key --string-value "..."
databricks secrets list-secrets s4hana-prod

Notebook (every day usage):

token = dbutils.secrets.get("s4hana-prod", "service-principal-secret")
# use token in API calls, connectors, etc.

Never hard-code or commit secrets — always reference them via dbutils.secrets.get(…).

Let me know if you want examples for ACLs (put-acl, list-acls), Azure Key Vault backed scopes, or CI/CD integration (GitHub Actions / Azure DevOps)!

“}]]

How to Store and Manage SAP Secrets Using SAP Databricks CLI: A Developer’s Guide [[{“value”:”In this blog, explaining all the following commands are part of the Databricks CLI (version 0.205 and above) for handling secrets and secret scopes.To Check your latest version – use the below commandSecrets are stored in scopes, so commands cover both. I’ve focused on those related to creating, listing, deleting, and putting (adding/updating) secrets and scopes. Here are practical examples of managing Databricks secrets (scopes + secrets inside them) using both:Terminal → Databricks CLI (version 0.205+ recommended in 2025–2026)Notebook → dbutils.secrets utility (Python/Scala cells)SCOPE: The name of the scope (alphanumeric characters, dashes, underscores, and periods; max 128 characters).Bonus (using UI) Below endpoint is hidden and to create scope All commands start with databricks secrets and may require appropriate permissions (e.g., WRITE or MANAGE). Use flags like –json for custom request bodies where noted. For full details, refer to the official documentation.https://<tenantid>.cloud.databricks.com/#secrets/createScope Create a secret scope# Simple creation (most common)
databricks secrets create-scope s4hana-prod

# With initial manage permission for all users (useful in some orgs)
databricks secrets create-scope finance-scope –initial-manage-principal users# Using JSON (advanced / scripting)databricks secrets create-scope –json ‘{“scope”: “finance-scope”, “initial_manage_principal”: “users”}’Put / create or update a secret (two main ways)databricks secrets put-secret s4hana-prod api-token
# → editor opens → paste your long token → Ctrl+S → Enter → Ctrl+XDirect string value:databricks secrets put-secret s4hana-prod db-password –string-value “SuperSecretPass123!”Bytes / binary value:databricks secrets put-secret s4hana-prod cert-pem –bytes-value “$(cat mycert.pem | base64)”Multi-line secret via pipe:cat << EOF | databricks secrets put-secret s4hana-prod private-key
—–BEGIN PRIVATE KEY—–
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC…
—–END PRIVATE KEY—–
EOFJSON style (good for automation):databricks secrets put-secret –json ‘{
“scope”: “s4hana-prod”,
“key”: “snowflake-token”,
“string_value”: “oabc123xyz…”
}’ List all secret scopesdatabricks secrets list-scopesList secrets (keys only – values never shown)databricks secrets list-secrets s4hana-prodDelete a single secretdatabricks secrets delete-secret s4hana-prod db-passwordDelete entire scope (careful – irreversible!)databricks secrets delete-scope finance-scope Notebook Examples (using dbutils.secrets)List all available scopesdisplay(dbutils.secrets.listScopes())List keys inside one scope (metadata only)display(dbutils.secrets.list(“s4hana-prod”)) Read / use a secret (most common usage)# Basic retrieval
api_token = dbutils.secrets.get(scope=”s4hana-prod”, key=”api-token”)
print(“Token length:”, len(api_token)) # never print the real value!

# Real-world example: read from Snowflake / database / storage
snowflake_password = dbutils.secrets.get(“s4hana-prod”, “snowflake-password”)

df = spark.read
.format(“snowflake”)
.option(“sfURL”, “youraccount.snowflakecomputing.com”)
.option(“sfDatabase”, “PROD_DB”)
.option(“sfSchema”, “PUBLIC”)
.option(“sfWarehouse”, “COMPUTE_WH”)
.option(“sfRole”, “SYSADMIN”)
.option(“user”, “svc_databricks”)
.option(“password”, snowflake_password)
.option(“dbtable”, “sales”)
.load()

display(df.limit(10)) Bonus: get as bytes (rare – keys, certs)cert_bytes = dbutils.secrets.getBytes(scope=”s4hana-prod”, key=”cert-pem”)
print(type(cert_bytes)) # → <class ‘bytes’>
print(len(cert_bytes)) # size in bytes
# cert_str = cert_bytes.decode(“utf-8”) # if you need string Quick Workflow Summary (most common pattern)Terminal (one-time setup / CI/CD):databricks secrets create-scope s4hana-prod
databricks secrets put-secret s4hana-prod service-principal-secret # interactive
databricks secrets put-secret s4hana-prod storage-key –string-value “…”
databricks secrets list-secrets s4hana-prod Notebook (every day usage):token = dbutils.secrets.get(“s4hana-prod”, “service-principal-secret”)
# use token in API calls, connectors, etc. Never hard-code or commit secrets — always reference them via dbutils.secrets.get(…). Let me know if you want examples for ACLs (put-acl, list-acls), Azure Key Vault backed scopes, or CI/CD integration (GitHub Actions / Azure DevOps)! “}]] Read More Technology Blog Posts by SAP articles

#SAPCHANNEL

M	T	W	T	F	S	S
						1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28

How to Store and Manage SAP Secrets Using SAP Databricks CLI: A Developer’s Guide

Byali

Bonus (using UI) Below endpoint is hidden and to create scope

Notebook Examples (using dbutils.secrets)

By ali

Related Post

System Conversion to SAP S/4HANA

SAP Business Data Cloud and Datasphere News in January

Clean core, clean data – Introducing Data Principle in RISE with SAP Methodology dashboard

Leave a Reply Cancel reply

You missed

Meta Platforms (META) Child Safety Lawsuit Proceeds as AI Data Center Deal Advances

Broader Analyst Sentiment on Broadcom Inc. (AVGO) Remains Bullish Amid Growing Demand for Google’s TPUs

Boeing (BA) Is One of My Favorites, Says Jim Cramer

3 REITs to Buy Before President Trump’s New Fed Chair Cuts Interest Rates

Alicloud.my.id