https://community.databricks.com/t5/administration-architecture/pats-sharing-in-a-global-data-platform/m-p/129527#M3948 <P>Hey&nbsp;<a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/124839">@noorbasha534</a>&nbsp;<BR /><BR /></P><P class="">Honestly, I really understand your pain around token management. I face the same situation myself and it can definitely become a headache, especially when you have multiple technologies in play, some of them open-source, and even cases where you end up overlapping tools that essentially try to do the same job.</P><P class="">&nbsp;</P><P class="">From my experience, the best approach is to use a central system such as <SPAN class=""><STRONG>Secret Manager</STRONG></SPAN> or <SPAN class=""><STRONG>Azure Key Vault</STRONG></SPAN> as the secure place to store these PATs. If that’s not possible, then try to rely on role assumptions so that machines or services can fetch the required secrets dynamically without embedding them everywhere.</P><P class="">&nbsp;</P><P class="">When it comes to rotation, my recommendation is to use the <I>same system</I> for creation and rotation. For example, if you create PATs via Terraform, avoid rotating them with a separate Cloud Function or Lambda, otherwise you’ll constantly introduce drift. A better pattern is to leverage reporting capabilities to identify tokens that are about to expire, and then have a process that both rotates and notifies stakeholders. I’ve implemented this email system with the Graph API client to avoid spams.</P><P class="">&nbsp;</P><P class="">It’s also worth noting that if you work with <SPAN class=""><STRONG>Service Principals</STRONG></SPAN>, you’ll need PATs anyway since they’re not human users. And even if you move to OAuth, you still face expiration periods — meaning you’ll have to reconnect or refresh sessions, which can also break ingestion pipelines or refreshes. For example, I’ve seen this happen with <SPAN class=""><STRONG>Power BI dashboards</STRONG></SPAN>, where failed refreshes were reported just because the OAuth token had expired for the assigned user.<BR /><BR />Hope this helps, <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /><BR />Isi</P> Sun, 24 Aug 2025 20:12:17 GMT Isi 2025-08-24T20:12:17Z https://community.databricks.com/t5/administration-architecture/pats-sharing-in-a-global-data-platform/m-p/128195#M3854 <P>Hello all</P><P>Checking on how others implement sharing of Databricks personal access tokens for authentication wherein you have atleast 25+ different technologies extracting data via SQL warehouses ((imagine a global data platform that hosts data for usage across company))</P><P>1. Some technologies don't support oauth, example - Collibra, Knime - forcing us to generate PATs</P><P>2. Some technologies can't read from a key vault where we like to put the PATs centrally - example, Collibra, Knime, Informatica</P><P>These situations are resulting into maintenance overhead for us. Though we have PATs expiry alert, these need to be regenerated &amp; sent to the respective stakeholders. How to document stakeholders at scale is another topic where I like to hear the ideas.</P><P>Appreciate the mind share...</P><P>&nbsp;</P> Tue, 12 Aug 2025 10:08:23 GMT https://community.databricks.com/t5/administration-architecture/pats-sharing-in-a-global-data-platform/m-p/128195#M3854 noorbasha534 2025-08-12T10:08:23Z https://community.databricks.com/t5/administration-architecture/pats-sharing-in-a-global-data-platform/m-p/129527#M3948 <P>Hey&nbsp;<a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/124839">@noorbasha534</a>&nbsp;<BR /><BR /></P><P class="">Honestly, I really understand your pain around token management. I face the same situation myself and it can definitely become a headache, especially when you have multiple technologies in play, some of them open-source, and even cases where you end up overlapping tools that essentially try to do the same job.</P><P class="">&nbsp;</P><P class="">From my experience, the best approach is to use a central system such as <SPAN class=""><STRONG>Secret Manager</STRONG></SPAN> or <SPAN class=""><STRONG>Azure Key Vault</STRONG></SPAN> as the secure place to store these PATs. If that’s not possible, then try to rely on role assumptions so that machines or services can fetch the required secrets dynamically without embedding them everywhere.</P><P class="">&nbsp;</P><P class="">When it comes to rotation, my recommendation is to use the <I>same system</I> for creation and rotation. For example, if you create PATs via Terraform, avoid rotating them with a separate Cloud Function or Lambda, otherwise you’ll constantly introduce drift. A better pattern is to leverage reporting capabilities to identify tokens that are about to expire, and then have a process that both rotates and notifies stakeholders. I’ve implemented this email system with the Graph API client to avoid spams.</P><P class="">&nbsp;</P><P class="">It’s also worth noting that if you work with <SPAN class=""><STRONG>Service Principals</STRONG></SPAN>, you’ll need PATs anyway since they’re not human users. And even if you move to OAuth, you still face expiration periods — meaning you’ll have to reconnect or refresh sessions, which can also break ingestion pipelines or refreshes. For example, I’ve seen this happen with <SPAN class=""><STRONG>Power BI dashboards</STRONG></SPAN>, where failed refreshes were reported just because the OAuth token had expired for the assigned user.<BR /><BR />Hope this helps, <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /><BR />Isi</P> Sun, 24 Aug 2025 20:12:17 GMT https://community.databricks.com/t5/administration-architecture/pats-sharing-in-a-global-data-platform/m-p/129527#M3948 Isi 2025-08-24T20:12:17Z