Connect to Google Cloud Storage

This article describes how to configure a connection from Databricks to read and write tables and data stored on Google Cloud Storage (GCS).

To read or write from a GCS bucket, you must create an attached service account and you must associate the bucket with the service account. You connect to the bucket directly with a key that you generate for the service account.

Access a GCS bucket directly with a Google Cloud service account key

To read and write directly to a bucket, you configure a key defined in your Spark configuration.

Step 1: Set up Google Cloud service account using Google Cloud Console

You must create a service account for the Databricks cluster. Databricks recommends giving this service account the least privileges needed to perform its tasks.

  1. Click IAM and Admin in the left navigation pane.

  2. Click Service Accounts.


  4. Enter the service account name and description.

    Google Create service account for GCS
  5. Click CREATE.

  6. Click CONTINUE.

  7. Click DONE.

Step 2: Create a key to access GCS bucket directly


The JSON key you generate for the service account is a private key that should only be shared with authorized users as it controls access to datasets and resources in your Google Cloud account.

  1. In the Google Cloud console, in the service accounts list, click the newly created account.

  2. In the Keys section, click ADD KEY > Create new key.

    Google Create Key
  3. Accept the JSON key type.

  4. Click CREATE. The key file is downloaded to your computer.

Step 3: Configure the GCS bucket

Create a bucket

If you do not already have a bucket, create one:

  1. Click Storage in the left navigation pane.


    Google Create Bucket
  3. Click CREATE.

Configure the bucket

  1. Configure the bucket details.

  2. Click the Permissions tab.

  3. Next to the Permissions label, click ADD.

    Google Bucket Details
  4. Provide the Storage Admin permission to the service account on the bucket from the Cloud Storage roles.

    Google Bucket Permissions
  5. Click SAVE.

Step 4: Put the service account key in Databricks secrets

Databricks recommends using secret scopes for storing all credentials. You can put the private key and private key id from your key JSON file into Databricks secret scopes. You can grant users, service principals, and groups in your workspace access to read the secret scopes. This protects the service account key while allowing users to access GCS. To create a secret scope, see Secrets.

Step 5: Configure a Databricks cluster

  1. In the Spark Config tab, use the following snippet to set the keys stored in secret scopes: true <client-email> <project-id> {{secrets/scope/gsa_private_key}} {{secrets/scope/gsa_private_key_id}}

    Replace <client-email>, <project-id> with the values of those exact field names from your key JSON file.

Use both cluster access control and notebook access control together to protect access to the service account and data in the GCS bucket. See Compute permissions and Collaborate using Databricks notebooks.

Step 6: Read from GCS

To read from the GCS bucket, use a Spark read command in any supported format, for example:

df ="parquet").load("gs://<bucket-name>/<path>")

To write to the GCS bucket, use a Spark write command in any supported format, for example:


Replace <bucket-name> with the name of the bucket you created in Step 3: Configure the GCS bucket.

Example notebooks

Read from Google Cloud Storage notebook

Open notebook in new tab

Write to Google Cloud Storage notebook

Open notebook in new tab