How to Store and Manage SAP Secrets Using SAP Databricks CLI: A Developer’s Guide

Bonus (using UI) Below endpoint is hidden and to create scope 

All commands start with databricks secrets and may require appropriate permissions (e.g., WRITE or MANAGE). Use flags like –json for custom request bodies where noted. For full details, refer to the official documentation.

https://<tenantid>.cloud.databricks.com/#secrets/createScope 

# Simple creation (most common)
databricks secrets create-scope s4hana-prod

# With initial manage permission for all users (useful in some orgs)
databricks secrets create-scope finance-scope –initial-manage-principal users# Using JSON (advanced / scripting)
databricks secrets create-scope
–json ‘{“scope”: “finance-scope”, “initial_manage_principal”: “users”}’

databricks secrets put-secret s4hana-prod api-token
# → editor opens → paste your long token → Ctrl+S → Enter → Ctrl+X

databricks secrets put-secret s4hana-prod cert-pem –bytes-value “$(cat mycert.pem | base64)”

cat << EOF | databricks secrets put-secret s4hana-prod private-key
—–BEGIN PRIVATE KEY—–
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC…
—–END PRIVATE KEY—–
EOF

databricks secrets put-secret –json ‘{
“scope”: “s4hana-prod”,
“key”: “snowflake-token”,
“string_value”: “oabc123xyz…”
}’

databricks secrets list-scopes

databricks secrets list-secrets s4hana-prod

databricks secrets delete-secret s4hana-prod db-password

databricks secrets delete-scope finance-scope

Notebook Examples (using dbutils.secrets)

​ In this blog, explaining all the following commands are part of the Databricks CLI (version 0.205 and above) for handling secrets and secret scopes.To Check your latest version – use the below commandSecrets are stored in scopes, so commands cover both. I’ve focused on those related to creating, listing, deleting, and putting (adding/updating) secrets and scopes.  Here are practical examples of managing Databricks secrets (scopes + secrets inside them) using both:Terminal → Databricks CLI (version 0.205+ recommended in 2025–2026)Notebook → dbutils.secrets utility (Python/Scala cells)SCOPE: The name of the scope (alphanumeric characters, dashes, underscores, and periods; max 128 characters).Bonus (using UI) Below endpoint is hidden and to create scope All commands start with databricks secrets and may require appropriate permissions (e.g., WRITE or MANAGE). Use flags like –json for custom request bodies where noted. For full details, refer to the official documentation.https://<tenantid>.cloud.databricks.com/#secrets/createScope Create a secret scope# Simple creation (most common)
databricks secrets create-scope s4hana-prod

# With initial manage permission for all users (useful in some orgs)
databricks secrets create-scope finance-scope –initial-manage-principal users# Using JSON (advanced / scripting)databricks secrets create-scope –json ‘{“scope”: “finance-scope”, “initial_manage_principal”: “users”}’Put / create or update a secret (two main ways)databricks secrets put-secret s4hana-prod api-token
# → editor opens → paste your long token → Ctrl+S → Enter → Ctrl+XDirect string value:databricks secrets put-secret s4hana-prod db-password –string-value “SuperSecretPass123!”Bytes / binary value:databricks secrets put-secret s4hana-prod cert-pem –bytes-value “$(cat mycert.pem | base64)”Multi-line secret via pipe:cat << EOF | databricks secrets put-secret s4hana-prod private-key
—–BEGIN PRIVATE KEY—–
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC…
—–END PRIVATE KEY—–
EOFJSON style (good for automation):databricks secrets put-secret –json ‘{
“scope”: “s4hana-prod”,
“key”: “snowflake-token”,
“string_value”: “oabc123xyz…”
}’ List all secret scopesdatabricks secrets list-scopesList secrets (keys only – values never shown)databricks secrets list-secrets s4hana-prodDelete a single secretdatabricks secrets delete-secret s4hana-prod db-passwordDelete entire scope (careful – irreversible!)databricks secrets delete-scope finance-scope Notebook Examples (using dbutils.secrets)List all available scopesdisplay(dbutils.secrets.listScopes())List keys inside one scope (metadata only)display(dbutils.secrets.list(“s4hana-prod”)) Read / use a secret (most common usage)# Basic retrieval
api_token = dbutils.secrets.get(scope=”s4hana-prod”, key=”api-token”)
print(“Token length:”, len(api_token)) # never print the real value!

# Real-world example: read from Snowflake / database / storage
snowflake_password = dbutils.secrets.get(“s4hana-prod”, “snowflake-password”)

df = spark.read
.format(“snowflake”)
.option(“sfURL”, “youraccount.snowflakecomputing.com”)
.option(“sfDatabase”, “PROD_DB”)
.option(“sfSchema”, “PUBLIC”)
.option(“sfWarehouse”, “COMPUTE_WH”)
.option(“sfRole”, “SYSADMIN”)
.option(“user”, “svc_databricks”)
.option(“password”, snowflake_password)
.option(“dbtable”, “sales”)
.load()

display(df.limit(10))  Bonus: get as bytes (rare – keys, certs)cert_bytes = dbutils.secrets.getBytes(scope=”s4hana-prod”, key=”cert-pem”)
print(type(cert_bytes)) # → <class ‘bytes’>
print(len(cert_bytes)) # size in bytes
# cert_str = cert_bytes.decode(“utf-8”) # if you need string  Quick Workflow Summary (most common pattern)Terminal (one-time setup / CI/CD):databricks secrets create-scope s4hana-prod
databricks secrets put-secret s4hana-prod service-principal-secret # interactive
databricks secrets put-secret s4hana-prod storage-key –string-value “…”
databricks secrets list-secrets s4hana-prod Notebook (every day usage):token = dbutils.secrets.get(“s4hana-prod”, “service-principal-secret”)
# use token in API calls, connectors, etc. Never hard-code or commit secrets — always reference them via dbutils.secrets.get(…). Let me know if you want examples for ACLs (put-acl, list-acls), Azure Key Vault backed scopes, or CI/CD integration (GitHub Actions / Azure DevOps)!    Read More Technology Blog Posts by SAP articles 

#SAP

#SAPTechnologyblog