Skip to main content

vw_encryption_keys

Creates, updates, deletes, gets or lists a vw_encryption_keys resource.

Overview

Namevw_encryption_keys
TypeView
Iddatabricks_account.provisioning.vw_encryption_keys

Fields

The following fields are returned by this view:

NameDatatypeDescription
account_idstringDatabricks account ID used to scope the query.
customer_managed_key_idstringUnique identifier for the customer-managed key configuration.
creation_timeintegerUnix timestamp (ms) when the key configuration was created.
use_casestringEncryption use case this key is assigned to (one row per use case, e.g. MANAGED_SERVICES, STORAGE).
aws_key_arnstringARN of the AWS KMS key (AWS only).
aws_key_regionstringAWS region where the KMS key resides (AWS only).
aws_key_aliasstringAlias of the AWS KMS key (AWS only).
aws_reuse_key_for_volumesbooleanWhether to reuse the same KMS key for cluster EBS volumes (AWS only).
azure_key_namestringName of the Azure Key Vault key (Azure only).
azure_key_vault_uristringURI of the Azure Key Vault containing the key (Azure only).
azure_tenant_idstringAzure Active Directory tenant ID for the key vault (Azure only).
azure_key_versionstringVersion of the Azure Key Vault key (Azure only).
azure_disk_encryption_set_idstringResource ID of the Azure Disk Encryption Set using this key (Azure only).
gcp_kms_key_idstringResource ID of the GCP Cloud KMS key (GCP only).
cloud_typestringDerived cloud provider for this key configuration - one of AWS, AZURE, GCP, or UNKNOWN.

Required Parameters

The following parameters are required by this view:

NameDatatypeDescription
account_idstringDatabricks account ID used to scope the query.

SELECT Examples

SELECT
  account_id,
  customer_managed_key_id,
  creation_time,
  use_case,
  aws_key_arn,
  aws_key_region,
  aws_key_alias,
  aws_reuse_key_for_volumes,
  azure_key_name,
  azure_key_vault_uri,
  azure_tenant_id,
  azure_key_version,
  azure_disk_encryption_set_id,
  gcp_kms_key_id,
  cloud_type
FROM databricks_account.provisioning.vw_encryption_keys
WHERE account_id = '{{ account_id }}';

SQL Definition

SELECT
  k.account_id,
  k.customer_managed_key_id,
  k.creation_time,
  uc.value AS use_case,
  JSON_EXTRACT(k.aws_key_info, '$.key_arn') AS aws_key_arn,
  JSON_EXTRACT(k.aws_key_info, '$.key_region') AS aws_key_region,
  JSON_EXTRACT(k.aws_key_info, '$.key_alias') AS aws_key_alias,
  JSON_EXTRACT(k.aws_key_info, '$.reuse_key_for_cluster_volumes') AS aws_reuse_key_for_volumes,
  JSON_EXTRACT(k.azure_key_info, '$.key_name') AS azure_key_name,
  JSON_EXTRACT(k.azure_key_info, '$.key_vault_uri') AS azure_key_vault_uri,
  JSON_EXTRACT(k.azure_key_info, '$.tenant_id') AS azure_tenant_id,
  JSON_EXTRACT(k.azure_key_info, '$.version') AS azure_key_version,
  JSON_EXTRACT(k.azure_key_info, '$.disk_encryption_set_id') AS azure_disk_encryption_set_id,
  JSON_EXTRACT(k.gcp_key_info, '$.kms_key_id') AS gcp_kms_key_id,
  CASE
    WHEN k.aws_key_info IS NOT NULL THEN 'AWS'
    WHEN k.azure_key_info IS NOT NULL THEN 'AZURE'
    WHEN k.gcp_key_info IS NOT NULL THEN 'GCP'
    ELSE 'UNKNOWN'
  END AS cloud_type
FROM databricks_account.provisioning.encryption_keys k,
     JSON_EACH(k.use_cases) uc
WHERE account_id = '{{ account_id }}'