Manage service principals

Preview

This feature is in Public Preview.

A service principal is an identity created for use with automated tools, running jobs, and applications. You can restrict a service principal’s access to resources using permissions, in the same way as a Databricks user. You can add entitlements to a service principal. You can add a service principal to a group, including the admins group. Unlike a Databricks user, a service principal is an API-only identity; it can’t access the Databricks UI or CLI directly.

To use service principals, your Databricks workspace must be on the E2 version of the Databricks platform. For information about creating E2 workspaces, see Create and manage workspaces using the account console. All new Databricks accounts and most existing accounts are now E2. If you are not sure which account type you have, contact your Databricks representative.

A Databricks admin user can create and manage service principals using the SCIM API 2.0. An admin can temporarily enable or permanently delete a service principal’s account.

To grant a service principal access to the API, an admin user grants the Can Use token permission to the service principal.

For security reasons, Databricks recommends using service principals to give automated tools and scripts API-only access to Databricks resources.

Manage personal access tokens for a service principal

To allow a service principal to authenticate to Databricks on the command line or in a script, an administrator can create a personal access token on behalf of the service principal using the token management REST API. An administrator can also list personal access tokens and delete them using the same API.

Note

It’s not possible to create, list, or manage a token for a service principal from within the Databricks UI.

Manage entitlements for a service principal

An entitlement is a property that allows a user, service principal, or group to interact with Databricks in a specified way. In the following table, each entitlement’s UI and API name is shown.

Entitlement name (UI) Entitlement name (API) Default Description
Workspace access workspace-access Granted by default.

When granted to a user or service principal, they can access the Data Science & Engineering workspace and Databricks Machine Learning.

Can’t be removed from workspace administrators.

Databricks SQL access databricks-sql-access Granted by default. When granted to a user or service principal, they can access Databricks SQL.
Allow unrestricted cluster creation allow-cluster-create Not granted to users or service principals by default.

When granted to a user or service principal, they can create clusters. You can restrict access to existing clusters using cluster-level permissions.

Can’t be removed from admin users.

allow-instance-pool-create allow-instance-pool-create Can’t be granted to individual users or service principals.

When granted to a group, its members can create instance pools.

Can’t be removed from workspace administrators.

Important

To log in and access Databricks, a user must have either the Databricks SQL access or Workspace access entitlement (or both).

To add or remove an entitlement for a service principal, use the SCIM API 2.0 (ServicePrincipals) API.