Azure Databricks pipeline secrets: what IAM teams need to know

TL;DR: Azure Databricks pipelines commonly rely on static service principal secrets to reach Azure APIs and SaaS targets, creating long-lived credential exposure and difficult-to-audit access, according to Aembit. Ephemeral, policy-based workload identity changes the control model by replacing stored secrets with short-lived tokens tied to verified runtime identity.

NHIMG editorial — based on content published by Aembit: Azure Databricks pipeline secrets are the real identity risk

By the numbers:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

Questions worth separating out

Q: How should security teams replace static secrets in Databricks pipelines?

A: Replace stored service principal secrets with workload attestation and short-lived token exchange.

Q: Why do static credentials in data pipelines create NHI risk?

A: Static credentials create NHI risk because they persist beyond the business need that created them.

Q: What breaks when pipeline identity is not scoped tightly enough?

A: When identity is too broad, one job can inherit access intended for another job on the same cluster.

Practitioner guidance

• Remove embedded service principal secrets from pipeline configuration Replace hardcoded credentials in Databricks jobs with verified workload identity and short-lived token exchange so the pipeline never stores reusable secrets in code, variables, or job settings.
• Scope access at the pipeline level where workloads share a cluster Use process identifiers or job-specific identity claims so a narrow pipeline cannot inherit the broader access profile of another workload running on the same cluster.
• Audit every downstream service touched by Databricks pipelines Map which pipelines call Microsoft Graph, Azure resources, Salesforce, or other APIs, then verify whether each connection still depends on a standing secret rather than runtime attestation.

What's in the full article

Aembit's full blog post covers the operational detail this post intentionally leaves for the source:

• Step-by-step Databricks attestation flow using Azure Managed Identity and Databricks-issued OIDC tokens
• Policy examples for scoping one pipeline to Microsoft Graph while separating another from Salesforce access
• Configuration paths through the console, API, and Terraform provider for teams managing identity as code
• SIEM export details for attestation events, policy decisions, and downstream credential requests

👉 Read Aembit's analysis of secretless Azure Databricks pipeline access →

Azure Databricks pipeline secrets: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →