Service principals

A service principal is a specialized identity in Databricks designed for automation and programmatic access. Service principals provide secure, API-only access to Databricks resources for automated tools, scripts, and CI/CD platforms, without relying on individual user credentials.

For how to manage service principals, see Manage service principals.

note

This page assumes your workspace has identity federation enabled, which is the default for most workspaces. For information about legacy workspaces without identity federation, see Legacy workspaces without identity federation.

What is a service principal?

Service principals give automated tools and scripts API-only access to Databricks resources, providing greater security than using user accounts. You can grant and restrict a service principal's access to resources in the same way as you can a Databricks user. For example, you can grant a service principal the account admin or workspace admin role, grant access to data using Unity Catalog, or add a service principal as a member to a group.

You can grant Databricks users, service principals, and groups permissions to use a service principal. This allows users to run jobs as the service principal, instead of as their identity, which prevents jobs from failing if a user leaves your organization or a group is modified.

Common use cases

Service principals are ideal for automation scenarios like the following, where you need secure, reliable programmatic access to Databricks resources:

Use case	Example
CI/CD pipelines	Deploy notebooks, libraries, and configurations automatically as part of your continuous integration and deployment workflows.
Scheduled jobs	Run ETL pipelines, data processing jobs, and automated reports on a schedule without depending on individual user accounts.
Cross-system integrations	Connect external applications and services to Databricks for data ingestion, transformation, or analytics.
Automated testing	Execute integration tests and validate data pipelines as part of your testing framework.
Infrastructure as code	Provision and manage Databricks resources using tools like Terraform, ARM templates, or Databricks Asset Bundles.

Who can manage and use service principals?

To manage service principals in Databricks, you must have one of the following roles:

Role	Capabilities
Account admins	Add service principals to the account and assign them admin roles. Assign service principals to workspaces. Automatically have service principal manager role on all service principals in the account.
Workspace admins	Add service principals to a Databricks workspace. Assign them the workspace admin role. Manage access to objects and functionality in the workspace. Automatically have service principal manager role on service principals they create. Create tokens on behalf of service principals when they have the Service Principal User role.
Service principal managers	Manage roles on a service principal. Assign the service principal manager role to other users.
Service principal users	Run jobs as the service principal, using its identity instead of the job owner's identity.

note

• The creator of a service principal automatically becomes the service principal manager.
• Users with the service principal manager role do not inherit the service principal user role. If you want to use the service principal to execute jobs, you need to explicitly assign yourself the service principal user role, even after creating the service principal.

For information on how to grant the service principal manager and user roles, see Roles for managing service principals.

Additional resources

• Manage service principals - Create and manage service principals
• Service principal access control - Grant manager and user roles
• Job privileges - Run jobs as a service principal
• Authentication for Databricks automation - Authentication methods for service principals
• Manage identities - Overview of identity management in Databricks