cancel
Showing results forย 
Search instead forย 
Did you mean:ย 
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Showing results forย 
Search instead forย 
Did you mean:ย 

Generating Personal Access Token to service principle databricks cli

pedrojunqueira
New Contributor II

Hi I am having issues generating personal access token to my service principle.

I followed the steps from here 

my `~/.databrickscfg` has the following

```

[my-profile-name]
host = <account-console-url>
account_id = <account-id>
azure_tenant_id = <azure-service-principal-tenant-id>
azure_client_id = <azure-service-principal-application-id>
azure_client_secret = <azure-service-principal-client-secret>

```

then if I do the command 

`databricks tokens create --comment <comment> --lifetime-seconds <lifetime-seconds> -p my-profile-name`

it DOES generates a token BUT to my user authenticated (my email)

then I try to do any other command to deploy dabs (Databricks Asset Bundle) and it always default to my authenticated user.

like if I do a [EDITED]

`databricks bundle deploy --profile my-profile-name`

then it deploys to my user not what I specified in the profile...

```

Name: python_package
Target: dev
Workspace:
Host: https://adb-1666302976490045.5.azuredatabricks.net
User: pedrocj@gmail.com
Path: /Users/pedrocj@gmail.com/.bundle/python_package/dev

Validation OK!

```

I would expect to validate or deploy to my service principle that is defined in the `~/.databrickscfg`

I added the service principle to be a workspace adm and give all the associated permissions in the the account console.

what I am doing wrong?

Cheers

Pedro

PS: I did it couple of days ago and all works like a charm. But now It is not working. 

1 ACCEPTED SOLUTION

Accepted Solutions

Walter_C
Databricks Employee
Databricks Employee

Hello Pedro, you can create tokens on behalf service principal by running command on CLI:

databricks token-management create-obo-token <application-id> --lifetime-seconds <lifetime-seconds> --comment <comment> -p <profile-name>

Or by API call https://docs.databricks.com/api/workspace/tokenmanagement/createobotoken

The command you are running is only set for user PAT token, this is why it authenticates with your user.

View solution in original post

4 REPLIES 4

Walter_C
Databricks Employee
Databricks Employee

Hello Pedro, you can create tokens on behalf service principal by running command on CLI:

databricks token-management create-obo-token <application-id> --lifetime-seconds <lifetime-seconds> --comment <comment> -p <profile-name>

Or by API call https://docs.databricks.com/api/workspace/tokenmanagement/createobotoken

The command you are running is only set for user PAT token, this is why it authenticates with your user.

Hi Walter,

Thanks for the reply. I have not tried your method but will accept as an alternative solution. What end up working for me was to to a machine-to-machine authentication with the service principal and generating a token from the

authenticated used.

Had to have the profile configured as 

[your-sp-profile-name]
host = https://<host>.azuredatabricks.net
client_id = <appId>
client_secret = <service principle Oauth Token>


Then to generate a pat just do 

databricks tokens create --comment dab -p your-sp-profile-name

Docs for azure is here 

PabloCSD
Contributor II

I want something similar, to use a service principal token instead of a PAT, have you ever done this?

https://community.databricks.com/t5/administration-architecture/use-a-service-principal-token-instea...

dataeng42io
New Contributor III

Hi @PabloCSD I will reply in your original post about how you may be able to resolve this issue.

Regards

Pedro

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you wonโ€™t want to miss the chance to attend and share knowledge.

If there isnโ€™t a group near you, start one and help create a community that brings people together.

Request a New Group