cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Data Governance
Join discussions on data governance practices, compliance, and security within the Databricks Community. Exchange strategies and insights to ensure data integrity and regulatory compliance.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Databricks Apps - Automating Unity Catalog Privileges for Databricks Apps Service Principals

ismaelhenzel
Contributor II

yesterday

I am using Databricks Apps, and I want to grant privileges to the auto-generated service principal from the app to read specific Unity Catalog schemas. I can't find a way to do this automatically using Asset Bundles.

I prefer to query using a service principal rather than users to avoid making frequent changes to groups or schemas for general apps. However, it is very tedious to grant the permissions manually when managing QA and Prod environments.

My thoughts are:

  1. Should I create an external service principal for this kind of data app?

  2. Should I use the service principal created automatically in the app? how to automatize ? maybe with terraform instead asset bundles ?

  3. Should I create a group for each app and apply it to the schemas that I need?

I really want to use the second option, but I need it to be fully automated.

Labels:
0 Kudos
3 REPLIES 3

Coffee77
Contributor III

yesterday

Why not to run a databricks cli script for first assign proper permissions (https://docs.databricks.com/aws/en/dev-tools/cli/reference/account-commands) and then run DAB? This was my approach to deploy some components not already available in previous versions of DAB until they were incorporated. On the other hand, I also agree that everything with an automation flavor should use service principals 🙂


Lifelong Learner Cloud & Data Solution Architect | https://www.youtube.com/@CafeConData

ismaelhenzel
Contributor II
In response to Coffee77

9 hours ago

This is a possible solution. The Databricks service principal for the data app only exists after its deployment in the platform. Then, after deployment, I could get the ID that the principal of the data app received, and then apply the necessary read grants inside the CI/CD. But I hope that Databricks incorporates this in the future. As you said, this could be a temporary fix until a release incorporates the feature directly in the bundle. Thanks for the answer.

Coffee77
Contributor III
In response to ismaelhenzel

9 hours ago

I also hope so 🙂


Lifelong Learner Cloud & Data Solution Architect | https://www.youtube.com/@CafeConData
0 Kudos

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local community—sign up today to get started!

Sign Up Now
Announcements