What's the difference between dbmanagedidentity and a storage credential based on managed identity?

lucami — Thu, 11 Dec 2025 16:23:10 GMT

I’m looking for guidance on the differences between:

dbmanagedidentity (the workspace-managed identity), and
Unity Catalog storage credentials based on Azure Managed Identity

Specifically, I’d like to understand:

What are the key differences between these two approaches?
In which scenarios should we use one versus the other—for example, when accessing an Azure Blob container or when querying Cosmos DB from a Databricks notebook?

Re: What's the difference between dbmanagedidentity and a storage credential based on managed identi

Poorva21 — Thu, 11 Dec 2025 16:57:16 GMT

1. dbmanagedidentity is the Workspace-Managed Identity (WMI) that Databricks automatically creates when your workspace is deployed (in Azure).

It is the identity used by compute resources such as:

Jobs compute

All-purpose clusters

SQL warehouses

Model serving endpoints

You can assign Azure roles (RBAC) to it—for example:

Storage Blob Data Reader/Contributor on a container

Cosmos DB RBAC roles

Key Vault Secrets User

Event Hub Data Sender

Think of it as:
➡️“Identity used by Databricks compute to access external Azure services.”

dbmanagedidentity (Workspace-Managed Identity)

This is the identity that the Databricks workspace and compute clusters use when they make outbound calls to Azure services.

Automatically created with workspace

Bound to the workspace’s compute plane

Used by clusters, jobs, SQL warehouses, and model serving

Works with all Azure services that support Managed Identity

Access is controlled via Azure RBAC, not Unity Catalog

No connection to UC lineage/governance

Best for:

🔸Calling Azure services from code (Cosmos DB, Key Vault, Event Hub)

🔸Direct Blob/ADLS access via Spark or SDKs

🔸Any resource not governed by Unity Catalog

2. This is a Unity Catalog object created by an admin:

CREATE STORAGE CREDENTIAL my_cred

IDENTITY 'abcd-1234...' -- resource ID of a user-assigned managed identity

WITH PURPOSE 'MANAGED';

It points to a User-Assigned Managed Identity (UAMI) you control.

This credential is then attached to:

External locations

External tables

Volumes

Lakehouse Federation (in some cases)

Think of it as:
➡️“Identity used by Unity Catalog to govern storage access.”

Unity Catalog Storage Credential (UAMI-based)

A Unity Catalog object that references a User-Assigned Managed Identity (UAMI).

Used only to access storage (Blob / ADLS)

Tied to external locations, volumes, external tables

Governs data access through Unity Catalog permissions

Not used by clusters to call APIs

Provides lineage, audit, and fine-grained privilege control

Can be shared across multiple workspaces

Best for:

🔸External tables in UC

🔸External volumes

🔸Data governance and lineage

🔸Shared storage access across dev/test/prod workspaces

Re: What's the difference between dbmanagedidentity and a storage credential based on managed identi

Raman_Unifeye — Thu, 11 Dec 2025 23:16:59 GMT

Avoid dbmanagedidentity for Data Access. It should be strictly limited to infrastructure tasks (like writing cluster logs) and not used for data access in a UC-enabled environment.

Re: What's the difference between dbmanagedidentity and a storage credential based on managed identi

Raman_Unifeye — Thu, 11 Dec 2025 23:22:05 GMT

use dbmanageidentity for non‑storage Azure services, such as Cosmos DB, Azure SQL, Event Hub, Key vault.

topic Re: What's the difference between dbmanagedidentity and a storage credential based on managed identi in Data Engineering

What's the difference between dbmanagedidentity and a storage credential based on managed identity?

Re: What's the difference between dbmanagedidentity and a storage credential based on managed identi

Re: What's the difference between dbmanagedidentity and a storage credential based on managed identi

Re: What's the difference between dbmanagedidentity and a storage credential based on managed identi