Azure Databricks personal access token authentication
Azure Databricks personal access tokens (PATs) are used to authenticate access to resources and APIs at the Azure Databricks workspace level. Many storage mechanisms for credentials and related information, such as environment variables and Azure Databricks configuration profiles, provide support for Azure Databricks personal access tokens. Although users can have multiple personal access tokens in an Azure Databricks workspace, each personal access token works for only a single Azure Databricks workspace. The number of personal access tokens per user is limited to 600 per workspace.
Databricks automatically revokes personal access tokens that haven’t been used in 90 or more days.
Important
Databricks recommends using OAuth instead of PATs for user account client authentication and authorization due to the improved security OAuth has. To learn how to use OAuth to perform client authentication with a Databricks user account, see Authenticate access to Azure Databricks with a user account using OAuth (OAuth U2M) (for user account authentication).
Basic (not token-based) authentication using an Azure Databricks username and password reached end of life on July 10, 2024.
To automate Azure Databricks account-level functionality, you cannot use Azure Databricks personal access tokens. Instead, you must use the Microsoft Entra ID tokens of Azure Databricks account admins. Azure Databricks account admins can be users or service principals. For more information, see:
-
See also:
Azure Databricks personal access tokens for workspace users
To create an Azure Databricks personal access token for your Azure Databricks workspace user, do the following:
- In your Azure Databricks workspace, click your Azure Databricks username in the top bar, and then select Settings from the drop down.
- Click Developer.
- Next to Access tokens, click Manage.
- Click Generate new token.
- (Optional) Enter a comment that helps you to identify this token in the future, and change the token’s default lifetime of 90 days. To create a token with no lifetime (not recommended), leave the Lifetime (days) box empty (blank).
- Click Generate.
- Copy the displayed token to a secure location, and then click Done.
Note
Be sure to save the copied token in a secure location. Do not share your copied token with others. If you lose the copied token, you cannot regenerate that exact same token. Instead, you must repeat this procedure to create a new token. If you lose the copied token, or you believe that the token has been compromised, Databricks strongly recommends that you immediately delete that token from your workspace by clicking the trash can (Revoke) icon next to the token on the Access tokens page.
If you are not able to create or use tokens in your workspace, this might be because your workspace administrator has disabled tokens or has not given you permission to create or use tokens. See your workspace administrator or the following topics:
Azure Databricks personal access tokens for service principals
A service principal can create Databricks personal access tokens for itself, as follows:
This procedure assumes that you are using OAuth machine-to-machine (M2M) authentication or Microsoft Entra ID service principal authentication to set up the Databricks CLI for authenticating the service principal to generate Azure Databricks personal access tokens for itself. See OAuth machine-to-machine (M2M) authentication or Microsoft Entra ID service principal authentication.
Use the Databricks CLI to run the following command, which generates another access token for the service principal.
Run the following command:
databricks tokens create --comment <comment> --lifetime-seconds <lifetime-seconds> -p <profile-name>
--comment
: Replace<comment>
with a meaningful comment about the access token’s purpose. If the--comment
option is not specified, then no comment is generated.--lifetime-seconds
: Replace<lifetime-seconds>
with the number of seconds that the access token is valid for. For example, 1 day is 86400 seconds. If the--lifetime-seconds
option is not specified, the access token is set to never expire (not recommended).--profile-name
: Replace<profile-name>
with the name of an Azure Databricks configuration profile that contains authentication information for the service principal and the target workspace. If the-p
option is not specified, the Databricks CLI will attempt to find and use a configuration profile namedDEFAULT
.
In the response, copy the value of
token_value
, which is the access token for the service principal.Be sure to save the copied token in a secure location. Do not share your copied token with others. If you lose the copied token, you cannot regenerate that exact same token. Instead, you must repeat this procedure to create a new token.
If you are not able to create or use tokens in your workspace, this might be because your workspace administrator has disabled tokens or has not given you permission to create or use tokens. See your workspace administrator or the following:
Perform Azure Databricks personal access token authentication
To configure Azure Databricks personal access token authentication, you must set the following associated environment variables, .databrickscfg
fields, Terraform fields, or Config
fields:
- The Azure Databricks host, specified as the target Azure Databricks per-workspace URL, for example
https://adb-1234567890123456.7.azuredatabricks.net
. - The Azure Databricks personal access token for the Azure Databricks user account.
To perform Azure Databricks personal access token authentication, integrate the following within your code, based on the participating tool or SDK:
Environment
To use environment variables for a specific Azure Databricks authentication type with a tool or SDK, see Authenticate access to Azure Databricks resources or the tool’s or SDK’s documentation. See also Environment variables and fields for client unified authentication and the Default methods for client unified authentication.
Set the following environment variables:
DATABRICKS_HOST
, set to the Azure Databricks per-workspace URL, for examplehttps://adb-1234567890123456.7.azuredatabricks.net
.DATABRICKS_TOKEN
, set to the token string.
Profile
Create or identify an Azure Databricks configuration profile with the following fields in your .databrickscfg
file. If you create the profile, replace the placeholders with the appropriate values. To use the profile with a tool or SDK, see Authenticate access to Azure Databricks resources or the tool’s or SDK’s documentation. See also Environment variables and fields for client unified authentication and the Default methods for client unified authentication.
Set the following values in your .databrickscfg
file. In this case, the host is the Azure Databricks per-workspace URL, for example https://adb-1234567890123456.7.azuredatabricks.net
:
[<some-unique-configuration-profile-name>]
host = <workspace-url>
token = <token>
Instead of manually setting the preceding values in your .databrickscfg
file, you can use the Databricks CLI to set these values instead, as follows:
Note
The following procedure uses the Databricks CLI to create an Azure Databricks configuration profile with the name DEFAULT
. If you already have a DEFAULT
configuration profile, this procedure overwrites your existing DEFAULT
configuration profile.
To check whether you already have a DEFAULT
configuration profile, and to view this profile’s settings if it exists, use the Databricks CLI to run the command databricks auth env --profile DEFAULT
.
To create a configuration profile with a name other than DEFAULT
, replace the DEFAULT
part of --profile DEFAULT
in the following databricks configure
command with a different name for the configuration profile.
Use the Databricks CLI to create an Azure Databricks configuration profile named
DEFAULT
that uses Azure Databricks personal access token authentication. To do this, run the following command:databricks configure --profile DEFAULT
For the prompt Databricks Host, enter your Azure Databricks per-workspace URL, for example
https://adb-1234567890123456.7.azuredatabricks.net
.For the prompt Personal Access Token, enter the Azure Databricks personal access token for your workspace.
CLI
For the Databricks CLI, run the databricks configure
command. At the prompts, enter the following settings:
- The Azure Databricks host, specified as the target Azure Databricks per-workspace URL, for example
https://adb-1234567890123456.7.azuredatabricks.net
. - The Azure Databricks personal access token for the Azure Databricks user account.
For more details, see Azure Databricks personal access token authentication.
Connect
Note
Azure Databricks personal access token authentication is supported on the following Databricks Connect versions:
- For Python, Databricks Connect for Databricks Runtime 13.3 LTS and above.
- For Scala, Databricks Connect for Databricks Runtime 13.3 LTS and above.
For Databricks Connect, you can use the Databricks CLI to set the values in your .databrickscfg
file, for Azure Databricks workspace-level operations as specified in this article’s “Profile” section, as follows:
Note
The following procedure uses the Databricks CLI to create an Azure Databricks configuration profile with the name DEFAULT
. If you already have a DEFAULT
configuration profile, this procedure overwrites your existing DEFAULT
configuration profile.
To check whether you already have a DEFAULT
configuration profile, and to view this profile’s settings if it exists, use the Databricks CLI to run the command databricks auth env --profile DEFAULT
.
To create a configuration profile with a name other than DEFAULT
, replace the DEFAULT
part of --profile DEFAULT
in the databricks configure
command as shown in the following step with a different name for the configuration profile.
Use the Databricks CLI to create an Azure Databricks configuration profile named
DEFAULT
that uses Azure Databricks personal access token authentication. To do this, run the following command:databricks configure --configure-cluster --profile DEFAULT
For the prompt Databricks Host, enter your Azure Databricks per-workspace URL, for example
https://adb-1234567890123456.7.azuredatabricks.net
.For the prompt Personal Access Token, enter the Azure Databricks personal access token for your workspace.
In the list of available clusters that appears, use your up arrow and down arrow keys to select the target Azure Databricks cluster in your workspace, and then press
Enter
. You can also type any part of the cluster’s display name to filter the list of available clusters.
Other supported approaches for Databricks Connect include the following:
- Manually set the values in your
.databrickscfg
file for Azure Databricks workspace-level operations as specified in this article’s “Profile” section. Also set thecluster_id
environment variable in your profile to your per-workspace URL, for examplehttps://adb-1234567890123456.7.azuredatabricks.net
. - Set the environment variables for Azure Databricks workspace-level operations as specified in this article’s “Environment” section. Also set the
DATABRICKS_CLUSTER_ID
environment variable to your per-workspace URL, for examplehttps://adb-1234567890123456.7.azuredatabricks.net
.
Values in your .databrickscfg
file always take precedence over environment variables.
To initialize the Databricks Connect client with these environment variables or values in your .databrickscfg
file, see one of the following:
- For Python, see Configure connection properties for Python.
- For Scala, see Configure connection properties for Scala.
VS Code
For the Databricks extension for Visual Studio Code, do the following:
- Set the values in your
.databrickscfg
file for Azure Databricks workspace-level operations as specified in this article’s “Profile” section. - In the Configuration pane of the Databricks extension for Visual Studio Code, click Configure Databricks.
- In the Command Palette, for Databricks Host, enter your per-workspace URL, for example
https://adb-1234567890123456.7.azuredatabricks.net
, and then pressEnter
. - In the Command Palette, select your target profile’s name in the list for your URL.
For more details, see Authentication setup for the Databricks extension for Visual Studio Code.
Terraform
provider "databricks" {
alias = "workspace"
}
For direct configuration (replace the retrieve
placeholders with your own implementation to retrieve the values from the console or some other configuration store, such as HashiCorp Vault. See also Vault Provider). In this case, the host is the Azure Databricks per-workspace URL, for example https://adb-1234567890123456.7.azuredatabricks.net
:
provider "databricks" {
alias = "workspace"
host = <retrieve-workspace-url>
token = <retrieve-token>
}
For more information about authenticating with the Databricks Terraform provider, see Authentication.
Python
from databricks.sdk import WorkspaceClient
w = WorkspaceClient()
# ...
For direct configuration (replace the retrieve
placeholders with your own implementation to retrieve the values from the console or some other configuration store, such as Azure KeyVault). In this case, the host is the Azure Databricks per-workspace URL, for example https://adb-1234567890123456.7.azuredatabricks.net
:
from databricks.sdk import WorkspaceClient
w = WorkspaceClient(
host = retrieve_workspace_url(),
token = retrieve_token()
)
# ...
For more information about authenticating with Databricks tools and SDKs that use Python and that implement Databricks client unified authentication, see:
- Set up the Databricks Connect client for Python
- Authentication setup for the Databricks extension for Visual Studio Code
- Authenticate the Databricks SDK for Python with your Azure Databricks account or workspace
Java
import com.databricks.sdk.WorkspaceClient;
// ...
WorkspaceClient w = new WorkspaceClient();
// ...
For direct configuration (replace the retrieve
placeholders with your own implementation to retrieve the values from the console or some other configuration store, such as Azure KeyVault). In this case, the host is the Azure Databricks per-workspace URL, for example https://adb-1234567890123456.7.azuredatabricks.net
:
import com.databricks.sdk.WorkspaceClient;
import com.databricks.sdk.core.DatabricksConfig;
// ...
DatabricksConfig cfg = new DatabricksConfig()
.setHost(retrieveWorkspaceUrl())
.setToken(retrieveToken());
WorkspaceClient w = new WorkspaceClient(cfg);
// ...
For more information about authenticating with Databricks tools and SDKs that use Java and that implement Databricks client unified authentication, see:
- Set up the Databricks Connect client for Scala (the Databricks Connect client for Scala uses the included Databricks SDK for Java for authentication)
- Authenticate the Databricks SDK for Java with your Azure Databricks account or workspace
Go
import (
"github.com/databricks/databricks-sdk-go"
)
// ...
w := databricks.Must(databricks.NewWorkspaceClient())
// ...
For direct configuration (replace the retrieve
placeholders with your own implementation to retrieve the values from the console or some other configuration store, such as Azure KeyVault). In this case, the host is the Azure Databricks per-workspace URL, for example https://adb-1234567890123456.7.azuredatabricks.net
:
import (
"github.com/databricks/databricks-sdk-go"
)
// ...
w := databricks.Must(databricks.NewWorkspaceClient(&databricks.Config{
Host: retrieveWorkspaceUrl(),
Token: retrieveToken(),
}))
// ...
For more information about authenticating with Databricks tools and SDKs that use Go and that implement Databricks client unified authentication, see Authenticate the Databricks SDK for Go with your Azure Databricks account or workspace.