Manage service principals


This feature is in Public Preview.

A service principal is an identity created for use with automated tools, running jobs, and applications. You can restrict a service principal’s access to resources using permissions, in the same way as a Databricks user. You can add a service principal to a group. Unlike a Databricks user, a service principal is an API-only identity; it can’t access the Databricks UI or CLI directly.

To use service principals, your Databricks workspace must be on the E2 version of the Databricks platform. For information about creating E2 workspaces, see Create and manage workspaces using the account console. All new Databricks accounts and most existing accounts are now E2. If you are not sure which account type you have, contact your Databricks representative.

A Databricks admin user can create and manage service principals using the SCIM API. An admin can temporarily enable or permanently delete a service principal’s account.

To grant a service principal access to the API, an admin user grants the Can Use token permission to the service principal.

For security reasons, Databricks recommends using service principals to give automated tools and scripts API-only access to Databricks resources.

Add or remove an entitlement for a service principal

To add or remove an entitlement for a service principal, use the SCIM API (ServicePrincipals) API.