Databricks Community

mai_luca · Thursday

I’m looking for guidance on the differences between:

dbmanagedidentity (the workspace-managed identity), and
Unity Catalog storage credentials based on Azure Managed Identity

Specifically, I’d like to understand:

What are the key differences between these two approaches?
In which scenarios should we use one versus the other—for example, when accessing an Azure Blob container or when querying Cosmos DB from a Databricks notebook?

Poorva21 · Thursday

1. dbmanagedidentity is the Workspace-Managed Identity (WMI) that Databricks automatically creates when your workspace is deployed (in Azure).

It is the identity used by compute resources such as:

Jobs compute

All-purpose clusters

SQL warehouses

Model serving endpoints

You can assign Azure roles (RBAC) to it—for example:

Storage Blob Data Reader/Contributor on a container

Cosmos DB RBAC roles

Key Vault Secrets User

Event Hub Data Sender

Think of it as:
➡️“Identity used by Databricks compute to access external Azure services.”

dbmanagedidentity (Workspace-Managed Identity)

This is the identity that the Databricks workspace and compute clusters use when they make outbound calls to Azure services.

Automatically created with workspace

Bound to the workspace’s compute plane

Used by clusters, jobs, SQL warehouses, and model serving

Works with all Azure services that support Managed Identity

Access is controlled via Azure RBAC, not Unity Catalog

No connection to UC lineage/governance

Best for:

🔸Calling Azure services from code (Cosmos DB, Key Vault, Event Hub)

🔸Direct Blob/ADLS access via Spark or SDKs

🔸Any resource not governed by Unity Catalog

2. This is a Unity Catalog object created by an admin:

CREATE STORAGE CREDENTIAL my_cred

IDENTITY 'abcd-1234...' -- resource ID of a user-assigned managed identity

WITH PURPOSE 'MANAGED';

It points to a User-Assigned Managed Identity (UAMI) you control.

This credential is then attached to:

External locations

External tables

Volumes

Lakehouse Federation (in some cases)

Think of it as:
➡️“Identity used by Unity Catalog to govern storage access.”

Unity Catalog Storage Credential (UAMI-based)

A Unity Catalog object that references a User-Assigned Managed Identity (UAMI).

Used only to access storage (Blob / ADLS)

Tied to external locations, volumes, external tables

Governs data access through Unity Catalog permissions

Not used by clusters to call APIs

Provides lineage, audit, and fine-grained privilege control

Can be shared across multiple workspaces

Best for:

🔸External tables in UC

🔸External volumes

🔸Data governance and lineage

🔸Shared storage access across dev/test/prod workspaces

View solution in original post

Poorva21 · Thursday

1. dbmanagedidentity is the Workspace-Managed Identity (WMI) that Databricks automatically creates when your workspace is deployed (in Azure).

It is the identity used by compute resources such as:

Jobs compute

All-purpose clusters

SQL warehouses

Model serving endpoints

You can assign Azure roles (RBAC) to it—for example:

Storage Blob Data Reader/Contributor on a container

Cosmos DB RBAC roles

Key Vault Secrets User

Event Hub Data Sender

Think of it as:
➡️“Identity used by Databricks compute to access external Azure services.”

dbmanagedidentity (Workspace-Managed Identity)

This is the identity that the Databricks workspace and compute clusters use when they make outbound calls to Azure services.

Automatically created with workspace

Bound to the workspace’s compute plane

Used by clusters, jobs, SQL warehouses, and model serving

Works with all Azure services that support Managed Identity

Access is controlled via Azure RBAC, not Unity Catalog

No connection to UC lineage/governance

Best for:

🔸Calling Azure services from code (Cosmos DB, Key Vault, Event Hub)

🔸Direct Blob/ADLS access via Spark or SDKs

🔸Any resource not governed by Unity Catalog

2. This is a Unity Catalog object created by an admin:

CREATE STORAGE CREDENTIAL my_cred

IDENTITY 'abcd-1234...' -- resource ID of a user-assigned managed identity

WITH PURPOSE 'MANAGED';

It points to a User-Assigned Managed Identity (UAMI) you control.

This credential is then attached to:

External locations

External tables

Volumes

Lakehouse Federation (in some cases)

Think of it as:
➡️“Identity used by Unity Catalog to govern storage access.”

Unity Catalog Storage Credential (UAMI-based)

A Unity Catalog object that references a User-Assigned Managed Identity (UAMI).

Used only to access storage (Blob / ADLS)

Tied to external locations, volumes, external tables

Governs data access through Unity Catalog permissions

Not used by clusters to call APIs

Provides lineage, audit, and fine-grained privilege control

Can be shared across multiple workspaces

Best for:

🔸External tables in UC

🔸External volumes

🔸Data governance and lineage

🔸Shared storage access across dev/test/prod workspaces

Raman_Unifeye · Thursday

Avoid dbmanagedidentity for Data Access. It should be strictly limited to infrastructure tasks (like writing cluster logs) and not used for data access in a UC-enabled environment.

RG #Driving Business Outcomes with Data Intelligence

Raman_Unifeye · Thursday

use dbmanageidentity for non‑storage Azure services, such as Cosmos DB, Azure SQL, Event Hub, Key vault.

RG #Driving Business Outcomes with Data Intelligence

Databricks Community

What's the difference between dbmanagedidentity and a storage credential based on managed identity?

Join Us as a Local Community Builder!

🌟 Community Pulse: Your Weekly Roundup! December 05 – 11, 2025

Jaipur Usergroup First Virtual Meetup: AI/BI Genie + Data Science Careers — 19 Dec | 6 PM IST

Lakehouse, Lagers & Legends — Bangalore Meetup | December 13

Celebrating Our First Brickster Champion: Louis Frolio

⭐ Setup Spark with Hadoop Anywhere : A DBR aligned local Spark+HDFS+Hive stack on Docker⭐