Describe the issue
When running a Python application (such as a Databricks Asset Bundle) and setting the Python root logger to DEBUG level, calls to dbutils.secrets.get() expose both the secret scope/key and the unmasked secret value in the logs.
Steps to reproduce the behavior
Please list the steps required to reproduce the issue, for example:
- Create a Python script in a Databricks Asset Bundle.
- Configure standard logging to DEBUG: logging.getLogger().setLevel(logging.DEBUG)
- Retrieve a secret: token = dbutils.secrets.get(scope="my_scope", key="my_token")
4.Execute the bundle and inspect the logs after it was saved to a .txt file.
Expected Behavior
Secret values fetched via dbutils should be redacted or masked in the standard output and execution logs, even when third-party library loggers are running in DEBUG mode.
Actual Behavior
The underlying py4j.clientserver logger dumps the raw network payloads for the RPC call. The response contains the unmasked secret token.
Log Output Example:
2026-04-15 13:22:04,530 - DEBUG - clientserver - line: 525 - [clientserver.py/send_command] - Command to send: c
o520
get
smy_scope
smy_token
e
2026-04-15 13:22:04,617 - DEBUG - clientserver - line: 536 - [clientserver.py/send_command] - Answer received: !ys [RAW SECRET HERE]
Databricks Runtime Version version
17.3
Describe the issue
When running a Python application (such as a Databricks Asset Bundle) and setting the Python root logger to DEBUG level, calls to dbutils.secrets.get() expose both the secret scope/key and the unmasked secret value in the logs.
Steps to reproduce the behavior
Please list the steps required to reproduce the issue, for example:
4.Execute the bundle and inspect the logs after it was saved to a .txt file.
Expected Behavior
Secret values fetched via dbutils should be redacted or masked in the standard output and execution logs, even when third-party library loggers are running in DEBUG mode.
Actual Behavior
The underlying py4j.clientserver logger dumps the raw network payloads for the RPC call. The response contains the unmasked secret token.
Log Output Example:
2026-04-15 13:22:04,530 - DEBUG - clientserver - line: 525 - [clientserver.py/send_command] - Command to send: c
o520
get
smy_scope
smy_token
e
2026-04-15 13:22:04,617 - DEBUG - clientserver - line: 536 - [clientserver.py/send_command] - Answer received: !ys [RAW SECRET HERE]
Databricks Runtime Version version
17.3