Databricks Community

Surajv · ‎03-06-2024

Hi Community,

Is there a way to limit the scope of workspace level token to hit only certain REST APIs of Databricks.

In short, Once we generate a workspace level token following this doc. Link: https://docs.databricks.com/en/dev-tools/auth/oauth-m2m.html#manually-generate-a-workspace-level-acc...

I see we can generate token via:

curl --request POST \
--url <token-endpoint-URL> \
--user "$CLIENT_ID:$CLIENT_SECRET" \
--data 'grant_type=client_credentials&scope=all-apis'

But here, the scope=all-apis. Which gives access to all APIs. Can I limit the APIs which the entity can access using the token as a part of ensuring better security?

Surajv · ‎03-11-2024

Hi @Retired_mod,

Thanks for response. Noted.

I have 1 doubt: Can I restrict the token access only to specific REST APIs? In other words, once I use the token and setup a bearer token based auth and try accessing different REST APIs provided by Databricks like consider below 3 APIs:

i) /api/2.1/unity-catalog/catalogs
ii) /api/2.0/preview/sql/queries

iii) /api/2.0/sql/warehouses

Is it possible to only access APIs defined in (i) and (ii) and not give API access permission to (iii)?