cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Is there a way to refresh tokens issued on behalf of service principal?

Go to solution
amichel
New Contributor III

‎11-18-2021 09:23 PM

I want to be able to refresh tokens generated on behalf of a service principal via Token Management API, just like with any other service where OAuth is used and refresh token endpoint is available.

Allowing indefinite or very long expiration for access tokens is not a great solution and would raise concerns during compliance audits, while shorter expiration means automation pipelines will stop working often, requiring admin user to login via SSO and call the API again to generate a new token.

1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Hubert-Dudek
Esteemed Contributor III

‎11-20-2021 08:07 AM

Refresh option would be useful.

In Azure you could use Azure automation to make "refresh" script:

  • delete if still exists
  • create token via: "databricks tokens create"
  • put it to Azure Key Vault with expiration data

View solution in original post

3 REPLIES 3

Go to solution
Anonymous
Not applicable

‎11-19-2021 08:43 AM

@Alex Michel​ - My name is Piper and I'm one of the moderators for Databricks. Welcome to the community and thank you for your question! Let's give it a while longer to see how the community responds. If nothing is forthcoming, we'll circle back around to this.

0 Kudos

Go to solution
Hubert-Dudek
Esteemed Contributor III

‎11-20-2021 08:07 AM

Refresh option would be useful.

In Azure you could use Azure automation to make "refresh" script:

  • delete if still exists
  • create token via: "databricks tokens create"
  • put it to Azure Key Vault with expiration data

Go to solution
amichel
New Contributor III
In response to Hubert-Dudek

‎11-22-2021 09:00 PM

Thanks @Hubert Dudek​ 

Appreciate your fast response.

So the idea is to simulate refresh by using the token to authenticate to the api, create new token and then delete itself.

Another issue with Azure specifically, is that Create Service Principal Api in Azure requires Azure AD SP to be created in the first place via app registration, which in turn requires elevated permissions in AAD and using Azure AD Api, not pure Databricks Api

0 Kudos

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements