cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Data Engineering
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Is there a way to refresh tokens issued on behalf of service principal?

Go to solution
amichel
New Contributor III

‎11-18-2021 09:23 PM

I want to be able to refresh tokens generated on behalf of a service principal via Token Management API, just like with any other service where OAuth is used and refresh token endpoint is available.

Allowing indefinite or very long expiration for access tokens is not a great solution and would raise concerns during compliance audits, while shorter expiration means automation pipelines will stop working often, requiring admin user to login via SSO and call the API again to generate a new token.

1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Hubert-Dudek
Esteemed Contributor III

‎11-20-2021 08:07 AM

Refresh option would be useful.

In Azure you could use Azure automation to make "refresh" script:

  • delete if still exists
  • create token via: "databricks tokens create"
  • put it to Azure Key Vault with expiration data

View solution in original post

3 REPLIES 3

Go to solution
Anonymous
Not applicable

‎11-19-2021 08:43 AM

@Alex Michel​ - My name is Piper and I'm one of the moderators for Databricks. Welcome to the community and thank you for your question! Let's give it a while longer to see how the community responds. If nothing is forthcoming, we'll circle back around to this.

0 Kudos

Go to solution
Hubert-Dudek
Esteemed Contributor III

‎11-20-2021 08:07 AM

Refresh option would be useful.

In Azure you could use Azure automation to make "refresh" script:

  • delete if still exists
  • create token via: "databricks tokens create"
  • put it to Azure Key Vault with expiration data

Go to solution
amichel
New Contributor III
In response to Hubert-Dudek

‎11-22-2021 09:00 PM

Thanks @Hubert Dudek​ 

Appreciate your fast response.

So the idea is to simulate refresh by using the token to authenticate to the api, create new token and then delete itself.

Another issue with Azure specifically, is that Create Service Principal Api in Azure requires Azure AD SP to be created in the first place via app registration, which in turn requires elevated permissions in AAD and using Azure AD Api, not pure Databricks Api

0 Kudos
Announcements
Welcome to Databricks Community: Lets learn, network and celebrate together

Join our fast-growing data practitioner and expert community of 80K+ members, ready to discover, help and collaborate together while making meaningful connections. 

Click here to register and join today! 

Engage in exciting technical discussions, join a group with your peers and meet our Featured Members.