Unity Catalog credential vending for external system access

Important

Tip

For information about how to read Azure Databricks data using Microsoft Fabric, see Use Microsoft Fabric to read data that is registered in Unity Catalog.

This page describes how Unity Catalog credential vending functionality supports access to data in Azure Databricks from external processing engines.

Credential vending supports external systems that connect to Unity Catalog using the Unity REST API and Apache Iceberg REST catalog. See Access Databricks tables from Delta clients and Access Databricks data using external systems.

What is Unity Catalog credential vending?

Credential vending grants short-lived credentials using the Unity Catalog REST API. The granted credentials inherit the privileges of the Azure Databricks principal used to configure the integration. There are two types of credential vending:

Table credential vending provides access to data registered in your Unity Catalog metastore.
Path credential vending provides access to external locations in your Unity Catalog metastore.

Requirements

External access must be configured on the metastore with EXTERNAL USE SCHEMA granted to the requesting principal. See Enable external data access on the metastore.
The workspace URL must be accessible to the requesting engine, including engines behind IP access lists or Azure Private Link.
Cloud storage URLs must be accessible through firewall and network controls.

Table credential vending

Table credentials include a short-lived access token string and cloud storage location URL that the external engine can use to access table data and metadata from the cloud storage location.

Supported access types

Table credential vending supports the following table types and operations:

Table type	Read	Write	Create
Managed Delta	Yes	Yes*	Yes*
External Delta	Yes	Yes	Yes
Managed Iceberg	Yes	Yes	Yes
Delta with Iceberg reads (UniForm)	Yes	Yes**	No

* Creating and writing to Unity Catalog managed tables from Delta clients is in Beta.

** After externally writing to a UniForm table from a Delta client, run MSCK REPAIR TABLE to generate Iceberg metadata.

Note

Some clients support access to tables backed by Delta Lake, while others require that you enable Iceberg reads (UniForm) on tables. See Read Delta tables with Iceberg clients.

Request a temporary table credential for external data access

Support for credential vending varies by external client. Where supported, the client should automatically leverage vended credentials when a connection is configured.

This section provides an example of explicitly calling the credential vending API endpoint. Some external clients might require you to explicitly set configurations to access data and metadata in cloud object storage backing your Unity Catalog tables. You can use values returned by credential vending to configure access.

Note

You can retrieve a list of tables that support credential vending by invoking the ListTables API with the include_manifest_capabilities option enabled. Only tables marked HAS_DIRECT_EXTERNAL_ENGINE_READ_SUPPORT or HAS_DIRECT_EXTERNAL_ENGINE_WRITE_SUPPORT are eligible for reference in the temporary-table-credentials API. See GET /api/2.1/unity-catalog/tables.

The following curl example explicitly requests a temporary credential for external data access. This request must be completed by a sufficiently privileged workspace principal.

curl -X POST -H "Authorization: Bearer $OAUTH_TOKEN" \
https://<workspace-instance>/api/2.1/unity-catalog/temporary-table-credentials \
-d '{"table_id": "<string>", "operation": "<READ|READ_WRITE>"}'

For details, see POST /api/2.1/unity-catalog/temporary-table-credentials in the Azure Databricks REST API reference.

Limitations

The following limitations exist:

Not all external clients support credential vending, and support might vary depending on underlying cloud object storage.
Only Unity Catalog managed tables and Unity Catalog external tables are supported.
- Tables enabled for Iceberg reads share this requirement. See Read Delta tables with Iceberg clients.
- Delta Lake reader clients can only read tables backed by Delta Lake, and must support all enabled reader or writer protocols enabled on the table. See Delta Lake feature compatibility and protocols.
- External tables that don't use Delta Lake do not provide transactional guarantees.
The following table types or tables with features enabled are not supported:
- Tables with row filters or column masks.
- Tables shared using Delta Sharing.
- Lakehouse federated tables (foreign tables).
- Views.
- Materialized views.
- Lakeflow Spark Declarative Pipelines streaming tables.
- Online tables.
- Vector Search indexes.
Credential refresh is not supported on Iceberg 1.9.0. Use the latest Iceberg release for credential refresh.

Path credential vending

Issued credentials allow direct access to the cloud storage location, scoped to the relevant path. They are valid for a limited time and do not grant broader access beyond the defined location or table.

Request a temporary path credential for external data access

Support for credential vending varies by external client. Where supported, the client should automatically leverage vended credentials when a connection is configured.

The following curl example explicitly requests a temporary credential for external data access. This request must be completed by a sufficiently privileged workspace principal.

curl -X POST -H "Authorization: Bearer $OAUTH_TOKEN" \
https://<workspace-instance>/api/2.1/unity-catalog/temporary-path-credentials \
-d '{"url": "<string>", "operation": <PATH_READ|PATH_READ_WRITE|PATH_CREATE_TABLE>"}'

For details, see Generate a temporary path credential in the Azure Databricks REST API reference.

คำติชม

หน้านี้มีประโยชน์หรือไม่

Last updated on 2026-04-14