Add secrets management tools (scopes and secrets CRUD)#417
Open
jralfonsog wants to merge 4 commits intodatabricks-solutions:mainfrom
Open
Add secrets management tools (scopes and secrets CRUD)#417jralfonsog wants to merge 4 commits intodatabricks-solutions:mainfrom
jralfonsog wants to merge 4 commits intodatabricks-solutions:mainfrom
Conversation
Scope CRUD (create, list, delete) and secret operations (put, get, list, delete). get_secret defaults to metadata-only (exists + byte length) to prevent leaking values into LLM context. Full value retrieval is opt-in via return_value=True for programmatic use only. Co-authored-by: Isaac
7 tools: create/list/delete scopes, put/get/list/delete secrets. get_secret returns metadata only (exists + byte length) — secret values are never exposed to the LLM. Scope create/delete integrates with manifest resource tracking. Co-authored-by: Isaac
Covers create/list/delete scopes, put/get/list/delete secrets, metadata-only vs full-value get_secret modes, validation errors, and not-found handling. Co-authored-by: Isaac
- Docstrings: opening """ on its own line - MCP module header: add tool listing - Returns sections: bullet list format for dict keys - Manifest imports: late imports in try blocks - Idempotent create: create_secret_scope returns created flag on ResourceAlreadyExists - MCP tool renamed to create_or_update_secret_scope Co-authored-by: Isaac
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a new secrets management module — previously a Tier 1 gap (entirely missing from the tool suite).
create_secret_scope,list_secret_scopes,delete_secret_scopeput_secret(upsert),get_secret,list_secrets,delete_secretSecurity design
Secret values are sensitive material that must not leak into LLM conversation context. The tools implement a layered security approach:
get_secret(MCP)exists,value_lengthget_secret(core lib)return_value=Trueput_secretlist_secretsThe core library function's
return_valueparameter is documented with aWARNINGthat it must never be exposed through MCP tools.Changes
secrets/__init__.pysecrets/secrets.pytools/secrets.py@mcp.tool(timeout=30)wrappers with manifest trackingserver.pysecretsin tool importstests/unit/test_secrets.pyTest plan
aws-feworkspace:get_secretMCP tool confirmed to never return secret valuesThis pull request was AI-assisted by Isaac