Provision a service principal for Databricks automation - Databricks UI

A service principal is an identity for automated tools and systems like scripts, apps, and CI/CD platforms. Databricks recommends using a service principal and its OAuth token or personal access token instead of your Databricks user account and personal access token. Benefits include:

  • Granting and restricting access to resources independently of a user.

  • Enabling users to better protect their own access tokens.

  • Disabling or deleting a service principal without affecting other users.

  • Removing a user when they leave the organization without impacting any service principal.

To provision a Databricks service principal, Databricks recommends that you create a Databricks service principal in your Databricks account. Then you add that Databricks service principal to your target Databricks workspace and give the Databricks service principal workspace permissions. Finally, you generate a Databricks personal access token, which you can use to represent the Databricks service principal programmatically in calls from tools, scripts, and SDKs. Use this quickstart to complete these steps.

Step 1: Create a Databricks service principal in your Databricks account

Complete this step if one of the following applies:

  • You want to create a Databricks service principal that you can use to authorize automation calls to your Databricks account.

  • Your workspace is enabled for identity federation, and you want to create a single Databricks service principal that you can use to authorize automation calls to your Databricks account and to Databricks workspaces within your account.

Otherwise, skip ahead to Step 2.

  1. In your Databricks workspace, click your username in the top bar and click Manage account.

    Alternatively, go directly to your Databricks account console, at https://accounts.cloud.databricks.com.

  2. Sign in to your Databricks account, if prompted.

  3. On the sidebar, click User management.

  4. Click the Service principals tab.

  5. Click Add service principal.

  6. Enter a Name for the Databricks service principal and click Add.

  7. (Optional) Assign account-level permissions to the Databricks service principal:

    1. On the Service principals tab, click the name of your Databricks service principal.

    2. On the Roles tab, toggle to enable or disable each target role that you want this Databricks service principal to have.

    3. On the Permissions tab, grant access to any Databricks users, service principals, and account group roles that you want to manage and use this Databricks service principal. See Manage roles on a service principal.

Step 2: Add the Databricks service principal to your Databricks workspace

If your workspace is enabled for identity federation:

  1. In your Databricks workspace, click your username in the top bar and click Admin Settings.

  2. Click Service principals.

  3. Click Add service principal.

  4. Select your Databricks service principal from Step 1, and click Add.

Skip ahead to Step 3.

If your workspace is not enabled for identity federation:

  1. In your Databricks workspace, click your username in the top bar and click Admin Settings.

  2. Click Service principals.

  3. Click Add service principal.

  4. In the Service Principal list, select Add new service principal.

  5. Enter some Display Name for the new Databricks service principal and click Add.

Step 3: Assign workspace-level permissions to the Databricks service principal

  1. If the admin console for your workspace is not already opened, click your username in the top bar and click Admin Settings.

  2. On the Service principals tab, click the name of your Databricks service principal to open its settings page.

  3. On the Configurations tab, check the box next to each entitlement that you want your Databricks service principal to have for this workspace, and then click Update.

  4. On the Permissions tab, grant access to any Databricks users, service principals, and groups that you want to manage and use this Databricks service principal. See Manage roles on a service principal.

  5. You must also give the Databricks service principal permission to use the access token that you generate in the next step:

    1. On the Workspace settings tab, under Access Control, make sure Personal Access Tokens is enabled.

    2. Next to Personal Access Tokens, click Permission Settings.

    3. In the box labeled Select user, group or service principal, select the name of your Databricks service principal.

    4. Click Add.

    5. Click Save.

Step 4: Generate a Databricks personal access token for the Databricks service principal

Note

Databricks personal access tokens can be used to authenticate automation calls only to Databricks workspaces. To authenticate automation calls to Databricks accounts and to Databricks workspaces within that account, use OAauth tokens instead. See Authentication using OAuth for service principals.

You cannot use the Databricks user interface to generate access tokens. This process uses Databricks CLI version 0.205 or above to generate an access token for the Databricks service principal. If you do not already have the Databricks CLI installed, see Install or update the Databricks CLI.

  1. Set up the Databricks CLI for authentication, if you have not done so already. One way to set this up is by using Databricks personal access token authentication for your Databricks workspace user first. See Databricks personal access token authentication.

  2. Get the application ID for your Databricks service principal, if you do not already have it available:

    1. If the admin console for your workspace is not already opened, click your username in the top bar and click Admin Settings.

    2. On the Service principals tab, click the name of your Databricks service principal to open its settings page.

    3. On the Configurations tab, note the Application Id value.

  3. Use the Databricks CLI to run the following command, which generates the access token for your Databricks service principal:

    databricks token-management create-obo-token <application-id> <lifetime-seconds> --comment <comment> -p <profile-name>

    In the preceding command, replace these placeholders:

    • Replace <application-id> with the application ID of the Databricks service principal.

    • Replace <lifetime-seconds> with the number of seconds that the access token is valid for. For example, 1 day is 86400 seconds.

    • Optionally, replace <comment> with any meaningful comment about the access token’s purpose. If the --comment option is not specified, then no comment is generated.

    • Optionally, replace <profile-name> with the name of a Databricks configuration profile that contains authentication information for your user and target workspace. For instance, see Databricks personal access token authentication. If the -p option is not specified, the Databricks CLI will attempt to find and use a configuration profile named DEFAULT.

  4. In the response, copy the value of token_value, which is the access token for your Databricks service principal.

Step 5: Use the Databricks service principal to generate its own Databricks personal access tokens

This step is optional. It assumes that you have already completed Step 4 to generate the first Databricks personal access token for the Databricks service principal.

  1. Set up the Databricks CLI for authentication with a valid Databricks personal access token for the Databricks service principal, instead of the Databricks personal access token for your Databricks workspace user. See Databricks personal access token authentication.

  2. Use the Databricks CLI to run the following command, which generates another access token for your Databricks service principal:

    databricks tokens create --comment <comment> --lifetime-seconds <lifetime-seconds> -p <profile-name>

    In the preceding command, replace these placeholders:

    • Optionally, replace <comment> with any meaningful comment about the access token’s purpose. If the --comment option is not specified, then no comment is generated.

    • Optionally, replace <lifetime-seconds> with the number of seconds that the access token is valid for. For example, 1 day is 86400 seconds. If the --lifetime-seconds option is not specified, the access token is set to never expire (not recommended).

    • Optionally, replace <profile-name> with the name of a Databricks configuration profile that contains authentication information for the Databricks service principal and the target workspace. For instance, see Databricks personal access token authentication. If the -p option is not specified, the Databricks CLI will attempt to find and use a configuration profile named DEFAULT.

  3. In the response, copy the value of token_value, which is the access token for your Databricks service principal.

Next steps

This tutorial showed you how to set up a Databricks service principal by using the Databricks user interface. To use the Databricks Terraform provider instead, see Provision a service principal for Databricks automation - Terraform.