cancel
Showing results for 
Search instead for 
Did you mean: 
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Generating Personal Access Token to service principle databricks cli

pedrojunqueira
New Contributor II

Hi I am having issues generating personal access token to my service principle.

I followed the steps from here 

my `~/.databrickscfg` has the following

```

[my-profile-name]
host = <account-console-url>
account_id = <account-id>
azure_tenant_id = <azure-service-principal-tenant-id>
azure_client_id = <azure-service-principal-application-id>
azure_client_secret = <azure-service-principal-client-secret>

```

then if I do the command 

`databricks tokens create --comment <comment> --lifetime-seconds <lifetime-seconds> -p my-profile-name`

it DOES generates a token BUT to my user authenticated (my email)

then I try to do any other command to deploy dabs (Databricks Asset Bundle) and it always default to my authenticated user.

like if I do a [EDITED]

`databricks bundle deploy --profile my-profile-name`

then it deploys to my user not what I specified in the profile...

```

Name: python_package
Target: dev
Workspace:
Host: https://adb-1666302976490045.5.azuredatabricks.net
User: pedrocj@gmail.com
Path: /Users/pedrocj@gmail.com/.bundle/python_package/dev

Validation OK!

```

I would expect to validate or deploy to my service principle that is defined in the `~/.databrickscfg`

I added the service principle to be a workspace adm and give all the associated permissions in the the account console.

what I am doing wrong?

Cheers

Pedro

PS: I did it couple of days ago and all works like a charm. But now It is not working. 

1 ACCEPTED SOLUTION

Accepted Solutions

Walter_C
Honored Contributor
Honored Contributor

Hello Pedro, you can create tokens on behalf service principal by running command on CLI:

databricks token-management create-obo-token <application-id> --lifetime-seconds <lifetime-seconds> --comment <comment> -p <profile-name>

Or by API call https://docs.databricks.com/api/workspace/tokenmanagement/createobotoken

The command you are running is only set for user PAT token, this is why it authenticates with your user.

View solution in original post

2 REPLIES 2

Walter_C
Honored Contributor
Honored Contributor

Hello Pedro, you can create tokens on behalf service principal by running command on CLI:

databricks token-management create-obo-token <application-id> --lifetime-seconds <lifetime-seconds> --comment <comment> -p <profile-name>

Or by API call https://docs.databricks.com/api/workspace/tokenmanagement/createobotoken

The command you are running is only set for user PAT token, this is why it authenticates with your user.

Hi Walter,

Thanks for the reply. I have not tried your method but will accept as an alternative solution. What end up working for me was to to a machine-to-machine authentication with the service principal and generating a token from the

authenticated used.

Had to have the profile configured as 

[your-sp-profile-name]
host = https://<host>.azuredatabricks.net
client_id = <appId>
client_secret = <service principle Oauth Token>


Then to generate a pat just do 

databricks tokens create --comment dab -p your-sp-profile-name

Docs for azure is here 

Join 100K+ Data Experts: Register Now & Grow with Us!

Excited to expand your horizons with us? Click here to Register and begin your journey to success!

Already a member? Login and join your local regional user group! If there isn’t one near you, fill out this form and we’ll create one for you to join!