Secrets in Unity Catalog
This feature is in Public Preview.
This page describes how to create, read, govern, and manage secrets in Unity Catalog. A Unity Catalog secret is a securable object that stores sensitive material, such as a password, token, or API key. Your notebooks and jobs can reference the secret without exposing the value in code.
Unity Catalog secrets use the three-level namespace (catalog.schema.secret) and are available across the workspaces attached to a metastore. Unity Catalog privileges govern them. This enables you to apply the same access model and auditing that you use for other data assets to your secrets.
Unity Catalog secrets are distinct from workspace-level Databricks secrets, which are organized into secret scopes. Use Unity Catalog secrets when you want to govern secrets with Unity Catalog privileges and reference them with the three-level namespace.
How Unity Catalog secrets work
A Unity Catalog secret is a securable object under a schema, with the fully qualified name catalog.schema.secret. Like other Unity Catalog securable objects, secrets support privilege inheritance from the catalog and schema. For more information about securable objects and inheritance, see Unity Catalog securable objects reference.
You can use a Unity Catalog secret in the following ways:
- Retrieve the value in code. With
READ SECRETaccess, users can retrieve a secret value from notebooks and jobs usingdbutilsor the Unity Catalog REST API. They can then use it to authenticate with external systems or to encrypt and decrypt data. - Reference the value from Unity Catalog objects. Unity Catalog objects, such as Unity Catalog connections, can reference a secret by name so that an integration can use the secret without granting users access to the value. Depending on the object, referencing a secret requires either
REFERENCE SECRETorREAD SECRET.
Databricks stores Unity Catalog secret values encrypted and applies secret redaction to reduce accidental exposure in outputs and logs. To rotate a secret, periodically update its value in the UI or with the Unity Catalog REST API.
Privileges for Unity Catalog secrets
The following privileges govern secrets. You can grant them at the catalog, schema, or individual secret level, and they follow Unity Catalog privilege inheritance.
Privilege | Description |
|---|---|
| Allows a user to create a secret in a schema. Granted at the catalog or schema level. |
| Allows a user to retrieve a secret value. |
| Allows a user to update a secret value. |
| Allows a user to reference a secret, for example from a Unity Catalog connection, without access to the value. |
To create a secret in a schema, a user must have USE CATALOG permission and either own the schema or have CREATE SECRET and USE SCHEMA on the schema. To learn how to grant privileges, see Manage privileges in Unity Catalog.
Before you begin
To use Unity Catalog secrets, you must meet the following requirements:
- The workspace must be enabled for Unity Catalog. For an introduction, see What is Unity Catalog?.
- You must access secrets from Unity Catalog-enabled compute. Databricks recommends one of the following:
- Serverless jobs and notebooks using environment version 4 or above.
- Classic compute in standard access mode running Databricks Runtime 17.3 LTS or above.
- To retrieve secrets with
dbutils, the compute must run Databricks Runtime 17.3 LTS or above, or serverless environment version 4 or above.
Create a secret
Creating a secret requires that you have USE CATALOG permission and own the schema or have CREATE SECRET and USE SCHEMA on the schema. See Privileges for Unity Catalog secrets.
- Catalog Explorer
- REST API
- In your Databricks workspace, click Catalog to open Catalog Explorer.
- Go to the schema where you want to create the secret.
- Click Create > Secret.
- Enter a name and value. Optionally, add a comment and an expiration date. If a secret expires, Catalog Explorer shows a warning.
- Click Create.
Run the following cURL command using the /api/2.1/unity-catalog/secrets endpoint:
curl -X POST \
-H "Authorization: Bearer $DATABRICKS_TOKEN" \
-H 'Content-Type: application/json' \
-d '{
"catalog_name": "main",
"schema_name": "default",
"name": "example_secret",
"value": "your_secret_value",
"comment": "your secret description"
}' \
"$DATABRICKS_HOST/api/2.1/unity-catalog/secrets"
Read a secret
To read a secret value, you must have READ SECRET on the secret or on a parent catalog or schema.
- Secrets utility (dbutils.secrets)
- REST API
Databricks recommends dbutils to read secrets, because it applies secret redaction. This option requires Databricks Runtime 17.3 LTS or above, or serverless environment version 4 or above.
# Read a specific secret
my_secret = dbutils.secrets.get(catalog="main", schema="default", key="example_secret")
For more information, see Secrets utility (dbutils.secrets).
Secret values retrieved with the Unity Catalog REST API are not subject to secret redaction, though access is still recorded in audit logs. Databricks recommends dbutils instead.
To return the value, set include_value=true and read the effective_value field in the response:
curl -G \
-H "Authorization: Bearer $DATABRICKS_TOKEN" \
--data-urlencode "include_value=true" \
"$DATABRICKS_HOST/api/2.1/unity-catalog/secrets/main.default.example_secret"
Manage permissions on secrets
Grant CREATE SECRET at the catalog or schema level to control who can create secrets. Grant READ SECRET, WRITE SECRET, or REFERENCE SECRET at the catalog, schema, or individual secret level to control access. Privilege inheritance applies. To learn more about granting and revoking privileges, see Manage privileges in Unity Catalog.
Grant the ability to create secrets
- Catalog Explorer
- SQL
- REST API
-
In Catalog Explorer, go to the schema.
-
Click the Permissions tab.
-
Click Grant.
-
Select the principals to grant access to, then select CREATE SECRET.
If a principal does not have
USE SCHEMA, a warning prompts you to grant it.USE SCHEMAis also required to create secrets in the schema. -
Click Confirm.
GRANT CREATE SECRET, USE SCHEMA ON SCHEMA main.default TO `user@example.com`;
Run the following cURL command using the /api/2.1/unity-catalog/permissions/schema/{schema_name} endpoint:
curl -X PATCH \
-H "Authorization: Bearer $DATABRICKS_TOKEN" \
-H 'Content-Type: application/json' \
-d '{
"changes": [{
"principal": "user@example.com",
"add": ["CREATE_SECRET", "READ_SECRET", "REFERENCE_SECRET", "WRITE_SECRET"]
}]
}' \
"$DATABRICKS_HOST/api/2.1/unity-catalog/permissions/schema/{schema_name}"
Grant access to a secret
- Catalog Explorer
- SQL
- REST API
- In Catalog Explorer, go to the secret and click it.
- Click the Permissions tab.
- Click Grant.
- Select the principals and the privileges to grant, then click Confirm.
GRANT READ SECRET ON SECRET main.default.example_secret TO `user@example.com`;
Run the following cURL command using the /api/2.1/unity-catalog/permissions/secret/{catalog.schema.secret} endpoint:
curl -X PATCH \
-H "Authorization: Bearer $DATABRICKS_TOKEN" \
-H 'Content-Type: application/json' \
-d '{
"changes": [{
"principal": "user@example.com",
"add": ["READ_SECRET", "REFERENCE_SECRET", "WRITE_SECRET"]
}]
}' \
"$DATABRICKS_HOST/api/2.1/unity-catalog/permissions/secret/{catalog.schema.secret}"
List, update, and delete secrets
List secrets
- Catalog Explorer
- Secrets utility (dbutils.secrets)
- REST API
- In Catalog Explorer, go to the schema.
- In the Overview pane, click Secrets to see all secrets in the schema.
# List all secrets in a schema
all_secrets = dbutils.secrets.list(catalog="main", schema="default")
List requests use page_size to control the number of results:
curl -G \
-H "Authorization: Bearer $DATABRICKS_TOKEN" \
--data-urlencode "catalog_name=main" \
--data-urlencode "schema_name=default" \
"$DATABRICKS_HOST/api/2.1/unity-catalog/secrets"
Update a secret
To update a secret value, you must have WRITE SECRET on the secret.
- Catalog Explorer
- REST API
- In Catalog Explorer, go to the schema and click Secrets in the Overview pane.
- Click the secret to update.
- In the top-right corner, click the kebab menu (vertical dots) and select Edit.
- Enter a new value or expiration date, then click Confirm.
Update requests require the update_mask parameter. Only fields included in both update_mask and the request body are updated:
curl -X PATCH \
-H "Authorization: Bearer $DATABRICKS_TOKEN" \
-H 'Content-Type: application/json' \
-d '{"value": "new_secret_value"}' \
"$DATABRICKS_HOST/api/2.1/unity-catalog/secrets/main.default.example_secret?update_mask=*"
Delete a secret
- Catalog Explorer
- REST API
- In Catalog Explorer, go to the schema and click Secrets in the Overview pane.
- Click the secret to delete.
- In the top-right corner, click the kebab menu (vertical dots) and select Delete.
- Enter the full name of the secret, then click Delete.
curl -X DELETE \
-H "Authorization: Bearer $DATABRICKS_TOKEN" \
"$DATABRICKS_HOST/api/2.1/unity-catalog/secrets/main.default.example_secret"
Audit events for Unity Catalog secrets
The system.access.audit system table records events related to Unity Catalog secrets. For example, to see all secret events for a user on a specific date, run the following query:
SELECT * FROM system.access.audit
WHERE
user_identity.email = "user@example.com"
AND event_date = "2026-02-20"
AND service_name = "unityCatalog"
AND action_name LIKE "%Secret%";
For more information about audit logs, see Audit log system table reference.
Encrypt secret values with customer-managed keys
By default, Databricks encrypts secret values with Databricks-managed keys. You can instead use customer-managed keys (CMK). If you enable the CMK-encrypted managed catalog feature and attach a CMK configuration to your account, Databricks uses the CMK to encrypt secret values. For more information, see Customer-managed keys for Unity Catalog.
Limitations
Unity Catalog secrets have the following limitations:
- No SQL warehouses. Unity Catalog secrets are not supported on SQL warehouses. They require Databricks Runtime 17.3 LTS or above on Unity Catalog-enabled compute, or serverless.
- No global discovery. Unity Catalog secrets do not appear in global search.
- No BROWSE permission support.
BROWSEon a catalog doesn't apply to Unity Catalog secrets. To make a secret discoverable, grantREAD SECRETorREFERENCE SECRETon the individual secret or its schema. - No init scripts. You cannot use Unity Catalog secrets in global or cluster init scripts. Databricks recommends using dedicated features instead of init scripts where possible.
- No information schema. Information schema tables for secrets are not yet available. Use Catalog Explorer or the REST API for discovery.
dbutilsruntime scope.dbutilsretrieval is supported on Databricks Runtime-backed notebooks and jobs. Non-Databricks Runtime contexts, such as remote development or compiled JAR run modes, are not supported.- OAuth API scope. The Unity Catalog secrets API is accessible only with the
unity-catalogOAuth API scope. Use thesecretsAPI scope only for workspace-level Databricks secrets. - Quota limits. Up to 100 secrets per schema and 1,000 per metastore.