Monitor and manage personal access tokens
To authenticate to the Azure Databricks REST API, a user can create a personal access token and use it in their REST API request. This article explains how workspace admins can manage personal access tokens in their workspace.
To create a personal access token, see Azure Databricks personal access token authentication.
Overview of personal access token management
Personal access tokens are enabled by default for all Azure Databricks workspaces that were created in 2018 or later.
When personal access tokens are enabled on a workspace, users with the CAN USE permission can generate personal access tokens to access Azure Databricks REST APIs, and they can generate these tokens with any expiration date they like, including an indefinite lifetime. By default, no non-admin workspace users have the CAN USE permission, meaning that they cannot create or use personal access tokens.
As an Azure Databricks workspace admin, you can disable personal access tokens for a workspace, monitor and revoke tokens, control which non-admin users can create tokens and use tokens, and set a maximum lifetime for new tokens.
Managing personal access tokens in your workspace requires the Premium plan. To create a personal access token, see Azure Databricks personal access token authentication.
Enable or disable personal access token authentication for the workspace
Personal access token authentication is enabled by default for all Azure Databricks workspaces that were created in 2018 or later. You can change this setting in the workspace settings page.
When personal access tokens are disabled for a workspace, personal access tokens cannot be used to authenticate to Azure Databricks and workspace users and service principals cannot create new tokens. No tokens are deleted when you disable personal access token authentication for a workspace. If tokens are re-enabled later, any non-expired tokens are available for use.
If you want to disable token access for a subset of users, you can keep personal access token authentication enabled for the workspace and set fine-grained permissions for users and groups. See Control who can create and use tokens.
Warning
Partner integrations require personal access tokens to be enabled on a workspace.
To disable the ability to create and use personal access tokens for the workspace:
Go to the settings page.
Click the Advanced tab.
Click the Personal Access Tokens toggle.
Click Confirm.
This change may take a few seconds to take effect.
You can also use the Workspace configuration API to disable personal access tokens for the workspace.
Control who can create and use tokens
Workspace admins can set permissions on personal access tokens to control which users, service principals, and groups can create and use tokens. For details on how to configure personal access token permissions, see Manage access to Azure Databricks automation.
Set maximum lifetime of new tokens
You can manage the maximum lifetime of new tokens in your workspace using the Databricks CLI. This limit applies only to new tokens.
Set maxTokenLifetimeDays
to the maximum token lifetime of new tokens in days, as an integer. If you set it to zero, new tokens are permitted to have no lifetime limit. For example:
databricks workspace-conf set-status --json '{
"maxTokenLifetimeDays": "90"
}'
You can also use the Workspace configuration API to manage the maximum lifetime for new tokens in a workspace.
Monitor and revoke tokens
This section describes how to use the Databricks CLI to manage existing tokens in the workspace. You can also use the Token Management API.
Get tokens for the workspace
To get the workspace's tokens:
databricks token-management list
You can filter results by a user by using the flags created-by-id
(to filter by the user ID) or created-by-username
(to filter by the username).
For example:
databricks token-management list --created-by-username user@company.com
Example response:
ID Created By Comment
token-id user@company.com dev
Delete (revoke) a token
To delete a token, replace TOKEN_ID with the id of the token to delete:
databricks token-management delete TOKEN_ID