How to authenticate to Azure Databricks API using a Managed Identity

Kenneth Huddleston 145 Reputation points
2023-03-11T01:13:37.3933333+00:00

I would like to use my Automation accounts Managed Identity (User Selected Identity) to authenticate to the Azure Databricks API without the use of a Personal Access Token. Looking at the documentation, I see you can do this for Service Principals but I do not see anything about Managed Identities. An example from the documentation:

https://learn.microsoft.com/en-us/azure/databricks/dev-tools/api/latest/aad/service-prin-aad-token#get-token

curl -X POST -H 'Content-Type: application/x-www-form-urlencoded'
https://login.microsoftonline.com/

Azure Databricks
Azure Databricks
An Apache Spark-based analytics platform optimized for Azure.
2,065 questions
0 comments No comments
{count} votes

Accepted answer
  1. risolis 8,706 Reputation points
    2023-03-11T23:12:30.85+00:00

    Hello @Kenneth Huddleston

    Thank you for posting this concern on this community space.

    I read your case scenario description and I would bring few statements here so, see them down below:

    1-At the Identity level, you have to know that Managed identity is split into System-Assigned and User-Assigned flavors.

    2-Service principal is considered as System-Assigned.

    3-The System-Assigned or Service principal are Enterprise applications.

    4-For this scenario, I am wondering if you did any app registration

    5-Furthermore, I want to share the supported features when using Service principal or System-Assigned

    https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/managed-identities-status

    I hope that can be helpful for you and those were my 2 cents about it : )

    Looking forward to your feedback,

    Cheers,

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


2 additional answers

Sort by: Most helpful
  1. LiJia Liu 170 Reputation points MVP
    2023-03-13T09:24:35.5533333+00:00

    Azure Databricks supports Azure Active Directory (AAD) tokens (GA) to authenticate to REST API 2.0. The AAD tokens support enables us to provide a more secure authentication mechanism leveraging Azure Data Factory's System-assigned Managed Identity while integrating with Azure Databricks.

     

    Benefits of using Managed identity authentication:

    • Managed identities eliminate the need for data engineers having to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens. In our case, Data Factory obtains the tokens using it's Managed Identity and accesses the Databricks REST APIs.  
    • It lets you provide fine-grained access control to particular Data Factory instances using Azure AD. 
    • It helps prevent usage of Databricks Personal Access Tokens, which acts as a password and needs to be treated with care, adding additional responsibility on data engineers on securing it.

  2. Lin Feng 0 Reputation points
    2023-06-22T14:33:49.9866667+00:00

    What about Managed Identity of the Function App?
    Is that possible for Function App to use its System assigned Identity to call Databricks API?

    0 comments No comments