Create an external location to connect cloud storage to Databricks

This article describes how to configure an external location in Unity Catalog to connect cloud storage to Databricks.

External locations associate Unity Catalog storage credentials with cloud object storage containers. External locations are used to define managed storage locations for catalogs and schemas, and to define locations for external tables and external volumes.

You can create an external location that references storage in an AWS S3 or Cloudflare R2 bucket.

You can create an external location using Catalog Explorer, the Databricks CLI, SQL commands in a notebook or Databricks SQL query, or Terraform.

Note

When you define a volume, cloud URI access to data under the volume path is governed by the permissions of the volume.

Before you begin

Prerequisites:

  • You must create the AWS S3 or Cloudflare R2 bucket that you want to use as an external location before you create the external location object in Databricks.

    • The AWS CloudFormation template supports only S3 buckets.

    • The name of an S3 bucket that you want users to read from and write to cannot use dot notation (for example, incorrect.bucket.name.notation). For more bucket naming guidance, see the AWS bucket naming rules.

Permissions requirements:

  • You must have the CREATE EXTERNAL LOCATION privilege on both the metastore and the storage credential referenced in the external location. Metastore admins have CREATE EXTERNAL LOCATION on the metastore by default.

  • If you are using the AWS CloudFormation template, you must also have the CREATE STORAGE CREDENTIAL privilege on the metastore. Metastore admins have CREATE STORAGE CREDENTIAL on the metastore by default.

Create an external location for an S3 bucket using an AWS CloudFormation template

If you create an external location using the AWS CloudFormation template, Databricks configures the external location and creates a storage credential for you. You also have the option to create the external location manually, which requires that you first create an IAM role that gives access to the S3 bucket that is referenced by the external location and a storage credential that references that IAM role. For details, see Create a storage credential for connecting to AWS S3.

Note

You cannot create external locations for Cloudflare R2 buckets using the AWS CloudFormation template. Instead use the manual flow in Catalog Explorer or SQL statements in a Databricks notebook or SQL query editor.

Permissions and prerequisites: see Before you begin.

To create the external location:

  1. Log in to a workspace that is attached to the metastore.

  2. Click Catalog icon Catalog to open Catalog Explorer.

  3. Click the + Add button and select Add an external location.

  4. On the Create a new external location dialog, select AWS Quickstart (Recommended) then click Next.

    The AWS Quickstart configures the external location and creates a storage credential for you. If you choose to use the Manual option, you must manually create an IAM role that gives access to the S3 bucket and create the storage credential in Databricks yourself.

  5. On the Create external location with Quickstart dialog, enter the path to the S3 bucket in the Bucket Name field.

  6. Click Generate new token to generate the personal access token that you will use to authenticate between Databricks and your AWS account.

  7. Copy the token and click Launch in Quickstart.

  8. In the AWS CloudFormation template that launches (labeled Quick create stack), paste the token into the Databricks Account Credentials field.

  9. Accept the terms at the bottom of the page (I acknowledge that AWS CloudFormation might create IAM resources with custom names).

  10. Click Create stack.

    It may take a few minutes for the CloudFormation template to finish creating the external location object in Databricks.

  11. Return to your Databricks workspace and click Catalog to open Catalog Explorer.

  12. In the left pane of Catalog Explorer, scroll down and click External Data > External Locations.

  13. Confirm that a new external location has been created.

    Automatically-generated external locations use the naming syntax db_s3_external_databricks-S3-ingest-<id>.

  14. (Optional) Bind the external location to specific workspaces.

    By default, any privileged user can use the external location on any workspace attached to the metastore. If you want to allow access only from specific workspaces, go to the Workspaces tab and assign workspaces. See (Optional) Assign an external location to specific workspaces.

  15. Grant permission to use the external location.

    For anyone to use the external location, you must grant permissions:

    • To use the external location to add a managed storage location to metastore, catalog, or schema, grant the CREATE MANAGED LOCATION privilege.

    • To create external tables or volumes, grant CREATE EXTERNAL TABLE or CREATE EXTERNAL VOLUME.

    To use Catalog Explorer to grant permissions:

    1. Click the external location name to open the details pane.

    2. On the Permissions tab, click Grant.

    3. On the Grant on <external location> dialog, select users, groups, or service principals in Principals field, and select the privilege you want to grant.

    4. Click Grant.

Create an external location using Catalog Explorer

You can create an external location manually using Catalog Explorer.

Permissions and prerequisites: see Before you begin.

If you are creating an external location for an S3 bucket, Databricks recommends that you use the AWS CloudFormation template rather than the procedure described here. If you use the AWS CloudFormation template, you do not need to create a storage credential. It is created for you.

To create the external location:

  1. Log in to a workspace that is attached to the metastore.

  2. In the sidebar, click Catalog icon Catalog.

  3. Click the + Add button and select Add an external location.

  4. On the Create a new external location dialog, click Manual, then Next.

    To learn about the AWS Quickstart option, see Create an external location for an S3 bucket using an AWS CloudFormation template.

  5. In the Create a new external location manually dialog, enter an External location name.

  6. Optionally copy the bucket path from an existing mount point (S3 buckets only).

  7. If you aren’t copying from an existing mount point, use the URL field to enter the S3 or R2 bucket path that you want to use as the external location.

    For example, S3://mybucket/<path> or r2://mybucket@my-account-id.r2.cloudflarestorage.com/<path>.

  8. Select the storage credential that grants access to the external location.

  9. (Optional) If you want users to have read-only access to the external location, click Advanced Options and select Read only. For more information, see Mark an external location as read-only.

  10. Click Create.

  11. (Optional) Bind the external location to specific workspaces.

    By default, any privileged user can use the external location on any workspace attached to the metastore. If you want to allow access only from specific workspaces, go to the Workspaces tab and assign workspaces. See (Optional) Assign an external location to specific workspaces.

  12. Grant permission to use the external location.

    For anyone to use the external location you must grant permissions:

    • To use the external location to add a managed storage location to metastore, catalog, or schema, grant the CREATE MANAGED LOCATION privilege.

    • To create external tables or volumes, grant CREATE EXTERNAL TABLE or CREATE EXTERNAL VOLUME.

    To use Catalog Explorer to grant permissions:

    1. Click the external location name to open the details pane.

    2. On the Permissions tab, click Grant.

    3. On the Grant on <external location> dialog, select users, groups, or service principals in Principals field, and select the privilege you want to grant.

    4. Click Grant.

Create an external location using SQL

To create an external location using SQL, run the following command in a notebook or the SQL query editor. Replace the placeholder values.

Permissions and prerequisites: see Before you begin.

  • <location-name>: A name for the external location. If location_name includes special characters, such as hyphens (-), it must be surrounded by backticks ( ` ` ). See Names.

  • <bucket-path>: The path in your cloud tenant that this external location grants access to. For example, S3://mybucket or r2://mybucket@my-account-id.r2.cloudflarestorage.com.

  • <storage-credential-name>: The name of the storage credential that authorizes reading from and writing to the bucket. If the storage credential name includes special characters, such as hyphens (-), it must be surrounded by backticks ( ` ` ).

CREATE EXTERNAL LOCATION [IF NOT EXISTS] `<location-name>`
URL '<bucket-path>'
WITH ([STORAGE] CREDENTIAL `<storage-credential-name>`)
[COMMENT '<comment-string>'];

If you want to limit external location access to specific workspaces in your account, also known as workspace binding or external location isolation, see (Optional) Assign an external location to specific workspaces.

(Optional) Assign an external location to specific workspaces

Preview

This feature is in Public Preview.

By default, an external location is accessible from all of the workspaces in the metastore. This means that if a user has been granted a privilege (such as READ FILES) on that external location, they can exercise that privilege from any workspace attached to the metastore. If you use workspaces to isolate user data access, you might want to allow access to an external location only from specific workspaces. This feature is known as workspace binding or external location isolation.

Typical use cases for binding an external location to specific workspaces include:

  • Ensuring that data engineers who have the CREATE EXTERNAL TABLE privilege on an external location that contains production data can create external tables on that location only in a production workspace.

  • Ensuring that data engineers who have the READ FILES privilege on an external location that contains sensitive data can only use specific workspaces to access that data.

For more information about how to restrict other types of data access by workspace, see Workspace-catalog binding example.

Important

Workspace bindings are referenced when privileges against external locations are exercised. For example, if a user creates an external table by issuing the statement CREATE TABLE myCat.mySch.myTable LOCATION 's3://bucket/path/to/table' from the myWorkspace workspace, the following workspace binding checks are performed in addition to regular user privilege checks:

  • Is the external location covering 's3://bucket/path/to/table' bound to myWorkspace?

  • Is the catalog myCat bound to myWorkspace with access level Read & Write?

If the external location is subsequently unbound from myWorkspace, then the external table continues to function.

This feature also allows you to populate a catalog from a central workspace and make it available to other workspaces using catalog bindings, without also having to make the external location available in those other workspaces.

Bind an external location to one or more workspaces

To assign an external location to specific workspaces, you can use Catalog Explorer or the Unity Catalog REST API.

Permissions required: Metastore admin or external location owner.

Note

Metastore admins can see all external locations in a metastore using Catalog Explorer—and external location owners can see all external locations that they own in a metastore—regardless of whether the external location is assigned to the current workspace. External locations that are not assigned to the workspace appear grayed out.

  1. Log in to a workspace that is linked to the metastore.

  2. In the sidebar, click Catalog icon Catalog.

  3. At the bottom of the screen, click External Data > External Locations.

  4. Select the external location and go to the Workspaces tab.

  5. On the Workspaces tab, clear the All workspaces have access checkbox.

    If your external location is already bound to one or more workspaces, this checkbox is already cleared.

  6. Click Assign to workspaces and enter or find the workspaces you want to assign.

To revoke access, go to the Workspaces tab, select the workspace, and click Revoke. To allow access from all workspaces, select the All workspaces have access checkbox.

There are two APIs and two steps required to assign an external location to a workspace. In the following examples, replace <workspace-url> with your workspace instance name. To learn how to get the workspace instance name and workspace ID, see Get identifiers for workspace objects. To learn about getting access tokens, see Authentication for Databricks automation - overview.

  1. Use the external-locations API to set the external location’s isolation mode to ISOLATION_MODE_ISOLATED:

    curl -L -X PATCH 'https://<workspace-url>/api/2.1/unity-catalog/external-locations/<my-location> \
    -H 'Authorization: Bearer <my-token> \
    -H 'Content-Type: application/json' \
    --data-raw '{
     "isolation_mode": "ISOLATION_MODE_ISOLATED"
     }'
    

    The default isolation mode is ISOLATION_MODE_OPEN to all workspaces attached to the metastore. See External Locations in the REST API reference.

  2. Use the update bindings API to assign the workspaces to the external location:

    curl -L -X PATCH 'https://<workspace-url>/api/2.1/unity-catalog/bindings/external-locations/<my-location> \
    -H 'Authorization: Bearer <my-token> \
    -H 'Content-Type: application/json' \
    --data-raw '{
      "add": [{"workspace_id": <workspace-id>,...],
      "remove": [{"workspace_id": <workspace-id>,...]
    }'
    

    Use the "add" and "remove" properties to add or remove workspace bindings.

    Note

    Read-only binding (BINDING_TYPE_READ_ONLY) is not available for external locations. Therefore there is no reason to set binding_type for the external locations binding.

To list all workspace assignments for an external location, use the list bindings API:

   curl -L -X GET 'https://<workspace-url>/api/2.1/unity-catalog/bindings/external-locations/<my-location> \
   -H 'Authorization: Bearer <my-token> \

See Workspace Bindings in the REST API reference.

Unbind an external location from a workspace

Instructions for revoking workspace access to an external location using Catalog Explorer or the bindings API are included in Bind an external location to one or more workspaces.

Next steps