Add resources to a Databricks app

Your Databricks apps can integrate with various Databricks platform features, such as Databricks SQL for querying data, Lakeflow Jobs for data ingestion and processing, Mosaic AI Model Serving to access generative AI models, and Databricks secrets for managing sensitive information. In the context of apps, these platform features are referred to as resources.

To keep apps portable and secure, avoid hardcoding resource IDs. For example, instead of embedding a fixed SQL warehouse ID in your app.yaml file, configure the SQL warehouse as a resource through the Databricks Apps UI or in databricks.yaml.

Prerequisites

To add a resource to an app, the following conditions must be met:

• The resource must exist.
• The user adding the resource must have the CAN MANAGE permission on the resource and the app.

Apps run with least privilege and rely on existing resources within the Databricks platform. When deployed, the app’s service principal accesses these resources and must have the necessary permissions, such as table-level access for SQL queries or read access to secrets. See Configure authorization in a Databricks app.

Configure resources for your app

Resources allow your app to securely connect to services that it depends on, without hardcoding sensitive or environment-specific values.

Add resources directly in the Apps UI when you create or edit your app.

1. In the App resources section of the create or edit flow, click + Add resource.
2. Select the resource type you want to add.
3. Set the permissions for the app service principal on the resource.
4. Assign a key to the resource, and reference that key in your app.yaml file.

Manage app access to resources

Each apps has a dedicated service principal. Follow these best practices to manage access securely.

• Use the app's service principal for authentication. Never hardcode Personal Access Tokens (PATs) in your code. Access credentials are automatically injected as environment variables:
  • CLIENT_ID
  • CLIENT_SECRET
• Don't share service principal credentials between apps or across users. Each app should use its own dedicated credentials for isolation and security.
• Apply least privilege access. Grant only the minimum required permissions to the app's service principal. For example:
  • Grant CAN USE on a SQL warehouse if the app only needs to run queries.
  • Grant CAN QUERY on a serving endpoint if the app only sends inference requests.
  • Grant SELECT or MODIFY on Unity Catalog tables based on the app’s data access needs.

Next steps

After you add resources to your app, reference these resources in the env section of your app configuration using the valueFrom field. For instructions, see Define environment variables in a Databricks app.