Azure CLI authentication
Azure CLI authentication uses the Azure CLI to authenticate the signed-in user.
Note
Azure Databricks managed service principals are managed directly within Azure Databricks. Microsoft Entra ID managed service principals are managed in Microsoft Entra ID, which requires additional permissions. Databricks recommends you use OAuth machine-to-machine (M2M) authentication with Azure Databricks managed service principals in most scenarios instead of Azure CLI authentication with Microsoft Entra ID service principals. However, Databricks recommends that you use Azure CLI authentication with Microsoft Entra ID service principals in cases where you must authenticate with Azure Databricks and other Azure resources at the same time.
To use OAuth M2M authentication with Azure Databricks managed service principals instead of Azure CLI authentication with Microsoft Entra ID service principals, skip this article and see Authenticate access to Azure Databricks with a service principal using OAuth (OAuth M2M).
To configure with Azure Databricks, you must do the following:
- Have the Azure CLI authentication installed locally.
- Use the Azure CLI to log in to Azure Databricks by running the
az login
command. See: - Set the following associated environment variables,
.databrickscfg
fields, Terraform fields, orConfig
fields:- The Azure Databricks host.
- For account operations, specify
https://accounts.databricks.azure.cn
. - For workspace operations, specify the per-workspace URL, for example
https://adb-1234567890123456.7.databricks.azure.cn
.
- For account operations, specify
- For account operations, the Azure Databricks account ID.
- The Azure Databricks host.
To perform Azure CLI authentication with Azure Databricks, integrate the following within your code, based on the participating tool or SDK:
Environment
To use environment variables for a specific Azure Databricks authentication type with a tool or SDK, see Authenticate access to Azure Databricks resources or the tool's or SDK's documentation. See also Environment variables and fields for client unified authentication and the Default methods for client unified authentication.
For account-level operations, set the following environment variables:
DATABRICKS_HOST
, set to the value of your Azure Databricks account console URL,https://accounts.databricks.azure.cn
.DATABRICKS_ACCOUNT_ID
For workspace-level operations, set the following environment variables:
DATABRICKS_HOST
, set to the value of your Azure Databricks per-workspace URL, for examplehttps://adb-1234567890123456.7.databricks.azure.cn
.
Profile
Create or identify an Azure Databricks configuration profile with the following fields in your .databrickscfg
file. If you create the profile, replace the placeholders with the appropriate values. To use the profile with a tool or SDK, see Authenticate access to Azure Databricks resources or the tool's or SDK's documentation. See also Environment variables and fields for client unified authentication and the Default methods for client unified authentication.
For account-level operations, set the following values in your .databrickscfg
file. In this case, the Azure Databricks account console URL is https://accounts.databricks.azure.cn
:
[<some-unique-configuration-profile-name>]
host = <account-console-url>
account_id = <account-id>
For workspace-level operations, set the following values in your .databrickscfg
file. In this case, the host is the Azure Databricks per-workspace URL, for example https://adb-1234567890123456.7.databricks.azure.cn
:
[<some-unique-configuration-profile-name>]
host = <workspace-url>
CLI
For the Databricks CLI, do one of the following:
- Set the environment variables as specified in this article's "Environment" section.
- Set the values in your
.databrickscfg
file as specified in this article's "Profile" section.
Environment variables always take precedence over values in your .databrickscfg
file.
See also Azure CLI authentication.
Connect
Note
Azure CLI authentication is supported on the following Databricks Connect versions:
- For Python, Databricks Connect for Databricks Runtime 13.1 and above.
- For Scala, Databricks Connect for Databricks Runtime 13.3 LTS and above.
For Databricks Connect, you can do one of the following:
- Set the values in your
.databrickscfg
file for Azure Databricks workspace-level operations as specified in this article's "Profile" section. Also set thecluster_id
environment variable in your profile to your per-workspace URL, for examplehttps://adb-1234567890123456.7.databricks.azure.cn
. - Set the environment variables for Azure Databricks workspace-level operations as specified in this article's "Environment" section. Also set the
DATABRICKS_CLUSTER_ID
environment variable to your per-workspace URL, for examplehttps://adb-1234567890123456.7.databricks.azure.cn
.
Values in your .databrickscfg
file always take precedence over environment variables.
To initialize the Databricks Connect client with these environment variables or values in your .databrickscfg
file, see Compute configuration for Databricks Connect.
VS Code
For the Databricks extension for Visual Studio Code, do the following:
- In the Configuration pane, click Configure Databricks.
- In the Command Palette, for Databricks Host, enter your per-workspace URL, for example
https://adb-1234567890123456.7.databricks.azure.cn
, and then pressEnter
. - Select Azure CLI.
For more details, see Set up Azure CLI authentication.
Terraform
For account-level operations, for default authentication:
provider "databricks" {
alias = "accounts"
}
For direct configuration (replace the retrieve
placeholders with your own implementation to retrieve the values from the console or some other configuration store, such as HashiCorp Vault. See also Vault Provider). In this case, the Azure Databricks account console URL is https://accounts.databricks.azure.cn
:
provider "databricks" {
alias = "accounts"
host = <retrieve-account-console-url>
account_id = <retrieve-account-id>
}
For workspace-level operations, for default authentication:
provider "databricks" {
alias = "workspace"
}
For direct configuration (replace the retrieve
placeholders with your own implementation to retrieve the values from the console or some other configuration store, such as HashiCorp Vault. See also Vault Provider). In this case, the host is the Azure Databricks per-workspace URL, for example https://adb-1234567890123456.7.databricks.azure.cn
:
provider "databricks" {
alias = "workspace"
host = <retrieve-workspace-url>
}
For more information about authenticating with the Databricks Terraform provider, see Authentication.
Python
For account-level operations, for default authentication:
from databricks.sdk import AccountClient
a = AccountClient()
# ...
For direct configuration (replace the retrieve
placeholders with your own implementation to retrieve the values from the console or some other configuration store, such as Azure KeyVault). In this case, the Azure Databricks account console URL is https://accounts.databricks.azure.cn
:
from databricks.sdk import AccountClient
a = AccountClient(
host = retrieve_account_console_url(),
account_id = retrieve_account_id()
)
# ...
For workspace-level operations, for default authentication:
from databricks.sdk import WorkspaceClient
w = WorkspaceClient()
# ...
For direct configuration (replace the retrieve
placeholders with your own implementation to retrieve the values from the console or some other configuration store, such as Azure KeyVault). In this case, the host is the Azure Databricks per-workspace URL, for example https://adb-1234567890123456.7.databricks.azure.cn
:
from databricks.sdk import WorkspaceClient
w = WorkspaceClient(host = retrieve_workspace_url())
# ...
For more information about authenticating with Databricks tools and SDKs that use Python and that implement Databricks client unified authentication, see:
- Set up the Databricks Connect client for Python
- Authentication setup for the Databricks extension for Visual Studio Code
- Authenticate the Databricks SDK for Python with your Azure Databricks account or workspace
Java
For account-level operations, for default authentication:
import com.databricks.sdk.AccountClient;
// ...
AccountClient a = new AccountClient();
// ...
For direct configuration (replace the retrieve
placeholders with your own implementation to retrieve the values from the console or some other configuration store, such as Azure KeyVault). In this case, the Azure Databricks account console URL is https://accounts.databricks.azure.cn
:
import com.databricks.sdk.AccountClient;
import com.databricks.sdk.core.DatabricksConfig;
// ...
DatabricksConfig cfg = new DatabricksConfig()
.setHost(retrieveAccountConsoleUrl())
.setAccountId(retrieveAccountId())
AccountClient a = new AccountClient(cfg);
// ...
For workspace-level operations, for default authentication:
import com.databricks.sdk.WorkspaceClient;
// ...
WorkspaceClient w = new WorkspaceClient();
// ...
For direct configuration (replace the retrieve
placeholders with your own implementation to retrieve the values from the console or some other configuration store, such as Azure KeyVault). In this case, the host is the Azure Databricks per-workspace URL, for example https://adb-1234567890123456.7.databricks.azure.cn
:
import com.databricks.sdk.WorkspaceClient;
import com.databricks.sdk.core.DatabricksConfig;
// ...
DatabricksConfig cfg = new DatabricksConfig()
.setHost(retrieveWorkspaceUrl())
WorkspaceClient w = new WorkspaceClient(cfg);
// ...
For more information about authenticating with Databricks tools and SDKs that use Java and that implement Databricks client unified authentication, see:
- Set up the Databricks Connect client for Scala (the Databricks Connect client for Scala uses the included Databricks SDK for Java for authentication)
- Authenticate the Databricks SDK for Java with your Azure Databricks account or workspace
Go
For account-level operations, for default authentication:
import (
"github.com/databricks/databricks-sdk-go"
)
// ...
a := databricks.Must(databricks.NewAccountClient())
// ...
For direct configuration (replace the retrieve
placeholders with your own implementation to retrieve the values from the console or some other configuration store, such as Azure KeyVault). In this case, the Azure Databricks account console URL is https://accounts.databricks.azure.cn
:
import (
"github.com/databricks/databricks-sdk-go"
)
// ...
a := databricks.Must(databricks.NewAccountClient(&databricks.Config{
Host: retrieveAccountConsoleUrl(),
AccountId: retrieveAccountId(),
}))
// ...
For workspace-level operations, for default authentication:
import (
"github.com/databricks/databricks-sdk-go"
)
// ...
w := databricks.Must(databricks.NewWorkspaceClient())
// ...
For direct configuration (replace the retrieve
placeholders with your own implementation to retrieve the values from the console or some other configuration store, such as Azure KeyVault). In this case, the host is the Azure Databricks per-workspace URL, for example https://adb-1234567890123456.7.databricks.azure.cn
:
import (
"github.com/databricks/databricks-sdk-go"
)
// ...
w := databricks.Must(databricks.NewWorkspaceClient(&databricks.Config{
Host: retrieveWorkspaceUrl(),
}))
// ...
For more information about authenticating with Databricks tools and SDKs that use Go and that implement Databricks client unified authentication, see Authenticate the Databricks SDK for Go with your Azure Databricks account or workspace.