Azure CLI authentication

Azure CLI authentication uses the Azure CLI to authenticate the signed-in user.

Note

Azure Databricks managed service principals are managed directly within Azure Databricks. Microsoft Entra ID managed service principals are managed in Microsoft Entra ID, which requires additional permissions. Databricks recommends you use OAuth machine-to-machine (M2M) authentication with Azure Databricks managed service principals in most scenarios instead of Azure CLI authentication with Microsoft Entra ID service principals. However, Databricks recommends that you use Azure CLI authentication with Microsoft Entra ID service principals in cases where you must authenticate with Azure Databricks and other Azure resources at the same time.

To use OAuth M2M authentication with Azure Databricks managed service principals instead of Azure CLI authentication with Microsoft Entra ID service principals, skip this article and see Authenticate access to Azure Databricks with a service principal using OAuth (OAuth M2M).

To configure with Azure Databricks, you must do the following:

  1. Have the Azure CLI authentication installed locally.
  2. Use the Azure CLI to log in to Azure Databricks by running the az login command. See:
  3. Set the following associated environment variables, .databrickscfg fields, Terraform fields, or Config fields:
    • The Azure Databricks host.
      • For account operations, specify https://accounts.databricks.azure.cn.
      • For workspace operations, specify the per-workspace URL, for example https://adb-1234567890123456.7.databricks.azure.cn.
    • For account operations, the Azure Databricks account ID.

To perform Azure CLI authentication with Azure Databricks, integrate the following within your code, based on the participating tool or SDK:

Environment

To use environment variables for a specific Azure Databricks authentication type with a tool or SDK, see Authenticate access to Azure Databricks resources or the tool's or SDK's documentation. See also Environment variables and fields for client unified authentication and the Default methods for client unified authentication.

For account-level operations, set the following environment variables:

  • DATABRICKS_HOST, set to the value of your Azure Databricks account console URL, https://accounts.databricks.azure.cn.
  • DATABRICKS_ACCOUNT_ID

For workspace-level operations, set the following environment variables:

  • DATABRICKS_HOST, set to the value of your Azure Databricks per-workspace URL, for example https://adb-1234567890123456.7.databricks.azure.cn.

Profile

Create or identify an Azure Databricks configuration profile with the following fields in your .databrickscfg file. If you create the profile, replace the placeholders with the appropriate values. To use the profile with a tool or SDK, see Authenticate access to Azure Databricks resources or the tool's or SDK's documentation. See also Environment variables and fields for client unified authentication and the Default methods for client unified authentication.

For account-level operations, set the following values in your .databrickscfg file. In this case, the Azure Databricks account console URL is https://accounts.databricks.azure.cn:

[<some-unique-configuration-profile-name>]
host       = <account-console-url>
account_id = <account-id>

For workspace-level operations, set the following values in your .databrickscfg file. In this case, the host is the Azure Databricks per-workspace URL, for example https://adb-1234567890123456.7.databricks.azure.cn:

[<some-unique-configuration-profile-name>]
host = <workspace-url>

CLI

For the Databricks CLI, do one of the following:

  • Set the environment variables as specified in this article's "Environment" section.
  • Set the values in your .databrickscfg file as specified in this article's "Profile" section.

Environment variables always take precedence over values in your .databrickscfg file.

See also Azure CLI authentication.

Connect

Note

Azure CLI authentication is supported on the following Databricks Connect versions:

  • For Python, Databricks Connect for Databricks Runtime 13.1 and above.
  • For Scala, Databricks Connect for Databricks Runtime 13.3 LTS and above.

For Databricks Connect, you can do one of the following:

  • Set the values in your .databrickscfg file for Azure Databricks workspace-level operations as specified in this article's "Profile" section. Also set the cluster_id environment variable in your profile to your per-workspace URL, for example https://adb-1234567890123456.7.databricks.azure.cn.
  • Set the environment variables for Azure Databricks workspace-level operations as specified in this article's "Environment" section. Also set the DATABRICKS_CLUSTER_ID environment variable to your per-workspace URL, for example https://adb-1234567890123456.7.databricks.azure.cn.

Values in your .databrickscfg file always take precedence over environment variables.

To initialize the Databricks Connect client with these environment variables or values in your .databrickscfg file, see Compute configuration for Databricks Connect.

VS Code

For the Databricks extension for Visual Studio Code, do the following:

  1. In the Configuration pane, click Configure Databricks.
  2. In the Command Palette, for Databricks Host, enter your per-workspace URL, for example https://adb-1234567890123456.7.databricks.azure.cn, and then press Enter.
  3. Select Azure CLI.

For more details, see Set up Azure CLI authentication.

Terraform

For account-level operations, for default authentication:

provider "databricks" {
  alias = "accounts"
}

For direct configuration (replace the retrieve placeholders with your own implementation to retrieve the values from the console or some other configuration store, such as HashiCorp Vault. See also Vault Provider). In this case, the Azure Databricks account console URL is https://accounts.databricks.azure.cn:

provider "databricks" {
  alias      = "accounts"
  host       = <retrieve-account-console-url>
  account_id = <retrieve-account-id>
}

For workspace-level operations, for default authentication:

provider "databricks" {
  alias = "workspace"
}

For direct configuration (replace the retrieve placeholders with your own implementation to retrieve the values from the console or some other configuration store, such as HashiCorp Vault. See also Vault Provider). In this case, the host is the Azure Databricks per-workspace URL, for example https://adb-1234567890123456.7.databricks.azure.cn:

provider "databricks" {
  alias = "workspace"
  host  = <retrieve-workspace-url>
}

For more information about authenticating with the Databricks Terraform provider, see Authentication.

Python

For account-level operations, for default authentication:

from databricks.sdk import AccountClient

a = AccountClient()
# ...

For direct configuration (replace the retrieve placeholders with your own implementation to retrieve the values from the console or some other configuration store, such as Azure KeyVault). In this case, the Azure Databricks account console URL is https://accounts.databricks.azure.cn:

from databricks.sdk import AccountClient

a = AccountClient(
  host       = retrieve_account_console_url(),
  account_id = retrieve_account_id()
)
# ...

For workspace-level operations, for default authentication:

from databricks.sdk import WorkspaceClient

w = WorkspaceClient()
# ...

For direct configuration (replace the retrieve placeholders with your own implementation to retrieve the values from the console or some other configuration store, such as Azure KeyVault). In this case, the host is the Azure Databricks per-workspace URL, for example https://adb-1234567890123456.7.databricks.azure.cn:

from databricks.sdk import WorkspaceClient

w = WorkspaceClient(host = retrieve_workspace_url())
# ...

For more information about authenticating with Databricks tools and SDKs that use Python and that implement Databricks client unified authentication, see:

Java

For account-level operations, for default authentication:

import com.databricks.sdk.AccountClient;
// ...
AccountClient a = new AccountClient();
// ...

For direct configuration (replace the retrieve placeholders with your own implementation to retrieve the values from the console or some other configuration store, such as Azure KeyVault). In this case, the Azure Databricks account console URL is https://accounts.databricks.azure.cn:

import com.databricks.sdk.AccountClient;
import com.databricks.sdk.core.DatabricksConfig;
// ...
DatabricksConfig cfg = new DatabricksConfig()
  .setHost(retrieveAccountConsoleUrl())
  .setAccountId(retrieveAccountId())
AccountClient a = new AccountClient(cfg);
// ...

For workspace-level operations, for default authentication:

import com.databricks.sdk.WorkspaceClient;
// ...
WorkspaceClient w = new WorkspaceClient();
// ...

For direct configuration (replace the retrieve placeholders with your own implementation to retrieve the values from the console or some other configuration store, such as Azure KeyVault). In this case, the host is the Azure Databricks per-workspace URL, for example https://adb-1234567890123456.7.databricks.azure.cn:

import com.databricks.sdk.WorkspaceClient;
import com.databricks.sdk.core.DatabricksConfig;
// ...
DatabricksConfig cfg = new DatabricksConfig()
  .setHost(retrieveWorkspaceUrl())
WorkspaceClient w = new WorkspaceClient(cfg);
// ...

For more information about authenticating with Databricks tools and SDKs that use Java and that implement Databricks client unified authentication, see:

Go

For account-level operations, for default authentication:

import (
  "github.com/databricks/databricks-sdk-go"
)
// ...
a := databricks.Must(databricks.NewAccountClient())
// ...

For direct configuration (replace the retrieve placeholders with your own implementation to retrieve the values from the console or some other configuration store, such as Azure KeyVault). In this case, the Azure Databricks account console URL is https://accounts.databricks.azure.cn:

import (
  "github.com/databricks/databricks-sdk-go"
)
// ...
a := databricks.Must(databricks.NewAccountClient(&databricks.Config{
  Host:      retrieveAccountConsoleUrl(),
  AccountId: retrieveAccountId(),
}))
// ...

For workspace-level operations, for default authentication:

import (
  "github.com/databricks/databricks-sdk-go"
)
// ...
w := databricks.Must(databricks.NewWorkspaceClient())
// ...

For direct configuration (replace the retrieve placeholders with your own implementation to retrieve the values from the console or some other configuration store, such as Azure KeyVault). In this case, the host is the Azure Databricks per-workspace URL, for example https://adb-1234567890123456.7.databricks.azure.cn:

import (
  "github.com/databricks/databricks-sdk-go"
)
// ...
w := databricks.Must(databricks.NewWorkspaceClient(&databricks.Config{
  Host: retrieveWorkspaceUrl(),
}))
// ...

For more information about authenticating with Databricks tools and SDKs that use Go and that implement Databricks client unified authentication, see Authenticate the Databricks SDK for Go with your Azure Databricks account or workspace.