cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

What's the difference between dbmanagedidentity and a storage credential based on managed identity?

mai_luca
New Contributor III

an hour ago

Iโ€™m looking for guidance on the differences between:

  • dbmanagedidentity (the workspace-managed identity), and
  • Unity Catalog storage credentials based on Azure Managed Identity

Specifically, Iโ€™d like to understand:

  1. What are the key differences between these two approaches?
  2. In which scenarios should we use one versus the otherโ€”for example, when accessing an Azure Blob container or when querying Cosmos DB from a Databricks notebook?
0 Kudos
1 REPLY 1

Poorva21
New Contributor

32m ago - last edited 31m ago

1. dbmanagedidentity is the Workspace-Managed Identity (WMI) that Databricks automatically creates when your workspace is deployed (in Azure).

It is the identity used by compute resources such as:

Jobs compute

All-purpose clusters

SQL warehouses

Model serving endpoints

You can assign Azure roles (RBAC) to itโ€”for example:

Storage Blob Data Reader/Contributor on a container

Cosmos DB RBAC roles

Key Vault Secrets User

Event Hub Data Sender

Think of it as:
โžก๏ธโ€œIdentity used by Databricks compute to access external Azure services.โ€

dbmanagedidentity (Workspace-Managed Identity)

This is the identity that the Databricks workspace and compute clusters use when they make outbound calls to Azure services.

Automatically created with workspace

Bound to the workspaceโ€™s compute plane

Used by clusters, jobs, SQL warehouses, and model serving

Works with all Azure services that support Managed Identity

Access is controlled via Azure RBAC, not Unity Catalog

No connection to UC lineage/governance

Best for:

๐Ÿ”ธCalling Azure services from code (Cosmos DB, Key Vault, Event Hub)

๐Ÿ”ธDirect Blob/ADLS access via Spark or SDKs

๐Ÿ”ธAny resource not governed by Unity Catalog

2. This is a Unity Catalog object created by an admin:

CREATE STORAGE CREDENTIAL my_cred

IDENTITY 'abcd-1234...' -- resource ID of a user-assigned managed identity

WITH PURPOSE 'MANAGED';

 

It points to a User-Assigned Managed Identity (UAMI) you control.

This credential is then attached to:

External locations

External tables

Volumes

Lakehouse Federation (in some cases)

Think of it as:
โžก๏ธโ€œIdentity used by Unity Catalog to govern storage access.โ€

 

Unity Catalog Storage Credential (UAMI-based)

A Unity Catalog object that references a User-Assigned Managed Identity (UAMI).

Used only to access storage (Blob / ADLS)

Tied to external locations, volumes, external tables

Governs data access through Unity Catalog permissions

Not used by clusters to call APIs

Provides lineage, audit, and fine-grained privilege control

Can be shared across multiple workspaces

Best for:

๐Ÿ”ธExternal tables in UC

๐Ÿ”ธExternal volumes

๐Ÿ”ธData governance and lineage

๐Ÿ”ธShared storage access across dev/test/prod workspaces

0 Kudos

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local communityโ€”sign up today to get started!

Sign Up Now
Announcements