Google Cloud ID authentication

Google Cloud ID authentication

Google Cloud ID authentication uses the Google Cloud CLI to authenticate the target Google Cloud service account.

To prepare to use Google Cloud credentials authentication, see Set up and use Google Cloud ID authentication.

To configure Google Cloud ID authentication with Databricks, you must have the Google Cloud ID authentication installed locally. You must also set the following associated environment variables, .databrickscfg fields, Terraform fields, or Config fields:

• The Databricks host.
  • For account operations, specify https://accounts.gcp.databricks.com.
  • For workspace operations, specify the workspace URL, for example https://1234567890123456.7.gcp.databricks.com.
• For account operations, the Databricks account ID.
• The Google Cloud service account, specified as the service account’s email address.

To perform Google Cloud ID authentication with Databricks, integrate the following within your code, based on the participating tool or SDK:

Environment

To use environment variables for a specific Databricks authentication type with a tool or SDK, see Authorizing access to Databricks resources or the tool’s or SDK’s documentation. See also Environment variables and fields for client unified authentication and the Default methods for client unified authentication.

For account-level operations, set the following environment variables:

• DATABRICKS_HOST, set to the value of your Databricks account console URL, https://accounts.gcp.databricks.com.
• DATABRICKS_ACCOUNT_ID
• GOOGLE_SERVICE_ACCOUNT

For workspace-level operations, set the following environment variables:

• DATABRICKS_HOST, set to the value of your Databricks workspace URL, for example https://1234567890123456.7.gcp.databricks.com.
• GOOGLE_SERVICE_ACCOUNT

Profile

Create or identify a Databricks configuration profile with the following fields in your .databrickscfg file. If you create the profile, replace the placeholders with the appropriate values. To use the profile with a tool or SDK, see Authorizing access to Databricks resources or the tool’s or SDK’s documentation. See also Environment variables and fields for client unified authentication and the Default methods for client unified authentication.

For account-level operations, set the following values in your .databrickscfg file. In this case, the Databricks account console URL is https://accounts.gcp.databricks.com:

[<some-unique-configuration-profile-name>]
host                   = <account-console-url>
account_id             = <account-id>
google_service_account = <google-cloud-service-account-email-address>

For workspace-level operations, set the following values in your .databrickscfg file. In this case, the host is the Databricks workspace URL, for example https://1234567890123456.7.gcp.databricks.com:

[<some-unique-configuration-profile-name>]
host                   = <workspace-url>
google_service_account = <google-cloud-service-account-email-address>

CLI

For the Databricks CLI, do one of the following:

• Set the environment variables as specified in this article’s “Environment” section.
• Set the values in your .databrickscfg file as specified in this article’s “Profile” section.

Environment variables always take precedence over values in your .databrickscfg file.

See also Google Cloud ID authentication.

Connect

note

Google Cloud ID authentication is supported on the following Databricks Connect versions:

• For Python, Databricks Connect for Databricks Runtime 13.3 LTS and above. The Databricks SDK for Python 0.14.0 or above must also be installed.
• For Scala, Databricks Connect for Databricks Runtime 13.3 LTS and above. The Databricks SDK for Java 0.14.0 or above must also be installed.

For Databricks Connect, you can do one of the following:

• Set the values in your .databrickscfg file for Databricks workspace-level operations as specified in this article’s “Profile” section. Also set the cluster_id environment variable in your profile to your workspace instance URL, for example https://1234567890123456.7.gcp.databricks.com.
• Set the environment variables for Databricks workspace-level operations as specified in this article’s “Environment” section. Also set the DATABRICKS_CLUSTER_ID environment variable to your workspace instance URL, for example https://1234567890123456.7.gcp.databricks.com.

Values in your .databrickscfg file always take precedence over environment variables.

To initialize the Databricks Connect client with these environment variables or values in your .databrickscfg file, see Compute configuration for Databricks Connect.

VS Code

For the Databricks extension for Visual Studio Code, do the following:

1. Set the values in your .databrickscfg file for Databricks workspace-level operations as specified in this article’s “Profile” section.
2. In the Configuration pane of the Databricks extension for Visual Studio Code, click Configure Databricks.
3. In the Command Palette, for Databricks Host, enter your workspace URL, for example https://1234567890123456.7.gcp.databricks.com, and then press Enter.
4. In the Command Palette, select your target profile’s name in the list for your URL.

For more details, see Set up authorization for the Databricks extension for Visual Studio Code.

Terraform

For account-level operations, for default authentication:

provider "databricks" {
  alias = "accounts"
}

For direct configuration (replace the retrieve placeholders with your own implementation to retrieve the values from the console or some other configuration store, such as HashiCorp Vault. See also Vault Provider). In this case, the Databricks account console URL is https://accounts.gcp.databricks.com:

provider "databricks" {
  alias                  = "accounts"
  host                   = <retrieve-account-console-url>
  account_id             = <retrieve-account-id>
  google_service_account = <retrieve-google-service-account>
}

For workspace-level operations, for default authentication:

provider "databricks" {
  alias = "workspace"
}

For direct configuration (replace the retrieve placeholders with your own implementation to retrieve the values from the console or some other configuration store, such as HashiCorp Vault. See also Vault Provider). In this case, the host is the Databricks workspace URL, for example https://1234567890123456.7.gcp.databricks.com:

provider "databricks" {
  alias                  = "workspace"
  host                   = <retrieve-workspace-url>
  google_service_account = <retrieve-google-service-account>
}

For more information about authenticating with the Databricks Terraform provider, see Authentication.

Python

For account-level operations, use default authentication:

Python

from databricks.sdk import AccountClient

a = AccountClient()
# ...

For direct configuration, replace the retrieve placeholders with your implementation to retrieve the values from the console or some other configuration store, such as Google Cloud Secret Manager. In this case, the Databricks account console URL is https://accounts.gcp.databricks.com:

Python

from databricks.sdk import AccountClient

a = AccountClient(
  host                   = retrieve_account_console_url(),
  account_id             = retrieve_account_id(),
  google_service_account = retrieve_google_service_account()
)
# ...

For workspace-level operations, for default authentication:

Python

from databricks.sdk import WorkspaceClient

w = WorkspaceClient()
# ...

For direct configuration, replace the retrieve placeholders with your implementation to retrieve the values from the console or some other configuration store, such as Google Cloud Secret Manager. In this case, the host is the Databricks workspace URL, for example https://1234567890123456.7.gcp.databricks.com:

Python

from databricks.sdk import WorkspaceClient

w = WorkspaceClient(
  host                   = retrieve_workspace_url(),
  google_service_account = retrieve_google_service_account()
)
# ...

For more information about authenticating with Databricks’ Python tools and SDKs that implement Databricks client unified authentication, see:

• Set up the Databricks Connect client for Python
• Set up authorization for the Databricks extension for Visual Studio Code
• Authenticate the Databricks SDK for Python with your Databricks account or workspace

Java

For account-level operations, use default authentication:

Java

import com.databricks.sdk.AccountClient;
// ...
AccountClient a = new AccountClient();
// ...

For direct configuration, replace the retrieve placeholders with your implementation to retrieve the values from the console or some other configuration store, such as Google Cloud Secret Manager. In this case, the Databricks account console URL is https://accounts.gcp.databricks.com:

Java

import com.databricks.sdk.AccountClient;
import com.databricks.sdk.core.DatabricksConfig;
// ...
DatabricksConfig cfg = new DatabricksConfig()
  .setHost(retrieveAccountConsoleUrl())
  .setAccountId(retrieveAccountId())
  .setGoogleServiceAccount(retrieveGoogleServiceAccount());
AccountClient a = new AccountClient(cfg);
// ...

For workspace-level operations, use default authentication:

Java

import com.databricks.sdk.WorkspaceClient;
// ...
WorkspaceClient w = new WorkspaceClient();
// ...

For direct configuration, replace the retrieve placeholders with your implementation to retrieve the values from the console or some other configuration store, such as Google Cloud Secret Manager. In this case, the host is the Databricks workspace URL, for example https://1234567890123456.7.gcp.databricks.com:

Java

import com.databricks.sdk.WorkspaceClient;
import com.databricks.sdk.core.DatabricksConfig;
// ...
DatabricksConfig cfg = new DatabricksConfig()
  .setHost(retrieveWorkspaceUrl())
  .setGoogleServiceAccount(retrieveGoogleServiceAccount());
WorkspaceClient w = new WorkspaceClient(cfg);
// ...

For more information about authenticating with Databricks’ Java tools and SDKs that implement Databricks client unified authentication, see:

• Set up the Databricks Connect client for Scala
• Authenticate the Databricks SDK for Java with your Databricks account or workspace

Go

For account-level operations, for default authentication:

Go

import (
  "github.com/databricks/databricks-sdk-go"
)
// ...
a := databricks.Must(databricks.NewAccountClient())
// ...

For direct configuration (replace the retrieve placeholders with your own implementation to retrieve the values from the console or some other configuration store, such as Google Cloud Secret Manager). In this case, the Databricks account console URL is https://accounts.gcp.databricks.com:

Go

import (
  "github.com/databricks/databricks-sdk-go"
)
// ...
a := databricks.Must(databricks.NewAccountClient(&databricks.Config{
  Host:                 retrieveAccountConsoleUrl(),
  AccountId:            retrieveAccountId(),
  GoogleServiceAccount: retrieveGoogleServiceAccount(),
}))
// ...

For workspace-level operations, for default authentication:

Go

import (
  "github.com/databricks/databricks-sdk-go"
)
// ...
w := databricks.Must(databricks.NewWorkspaceClient())
// ...

For direct configuration (replace the retrieve placeholders with your own implementation to retrieve the values from the console or some other configuration store, such as Google Cloud Secret Manager). In this case, the host is the Databricks workspace URL, for example https://1234567890123456.7.gcp.databricks.com:

Go

import (
  "github.com/databricks/databricks-sdk-go"
)
// ...
w := databricks.Must(databricks.NewWorkspaceClient(&databricks.Config{
  Host:                 retrieveWorkspaceUrl(),
  GoogleServiceAccount: retrieveGoogleServiceAccount(),
}))
// ...

For more information about authenticating with Databricks tools and SDKs that use Go and that implement Databricks client unified authentication, see Authenticate the Databricks SDK for Go with your Databricks account or workspace.