Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure Databricks personal access tokens (PATs) let you authenticate to resources and APIs at the workspace level. You can store them in environment variables or Azure Databricks configuration profiles. Each PAT is valid for only one workspace, and a user can create up to 600 PATs per workspace. Azure Databricks automatically revokes PATs that haven't been used for 90 days.
Important
Username and password authentication (without tokens) reached end of life on July 10, 2024. Databricks strongly recommends using OAuth instead of PATs for user account authentication because OAuth provides stronger security. To learn how to authenticate with a Databricks user account using OAuth, see Authorize user access to Azure Databricks with OAuth.
You can't use personal access tokens to automate Azure Databricks account-level functionality. Instead, use the Microsoft Entra ID tokens of Azure Databricks account admins. Azure Databricks account admins can be users or service principals. For more information, see:
Create personal access tokens for workspace users
To create a personal access token for your Azure Databricks workspace user, do the following:
In your Azure Databricks workspace, click your username in the top bar and select Settings.
Click Developer.
Next to Access tokens, click Manage.
Click Generate new token.
Enter a comment that helps you to identify this token in the future.
Set the token's lifetime in days. See Set maximum lifetime of new personal access tokens.
Click Generate.
Copy the displayed token to a secure location, then click Done. Save the token securely and don't share it. If you lose it, you must create a new token.
If you can't create or use tokens, your workspace administrator might have disabled tokens or not granted you permission. See your workspace administrator or the following:
- Enable or disable personal access token authentication for the workspace
- Personal access token permissions
Create personal access tokens for service principals
A service principal can create personal access tokens for itself.
Run the following command to generate an access token:
databricks tokens create --lifetime-seconds <lifetime-seconds> -p <profile-name>Replace the following values:
<lifetime-seconds>: Token lifetime in seconds, such as 86400 for 1 day. Defaults to the workspace maximum (typically 730 days).<profile-name>: Configuration profile with authentication information. Defaults toDEFAULT.
Copy the
token_valuefrom the response, which is the access token for your service principal. Save the token securely and don't share it. If you lose it, you must create a new token.If you can't create or use tokens, your workspace administrator might have disabled tokens or not granted you permission. See your workspace administrator or the following:
Perform personal access token authentication
To configure Azure Databricks personal access token authentication, set the following associated environment variables, .databrickscfg fields, Terraform fields, or Config fields:
- The Azure Databricks host, specified as the target Azure Databricks per-workspace URL, for example
https://adb-1234567890123456.7.databricks.azure.cn. - The Azure Databricks personal access token for the Azure Databricks user account.
To perform Azure Databricks personal access token authentication, integrate the following within your code, based on the participating tool or SDK:
Environment
To use environment variables for a specific Azure Databricks authentication type with a tool or SDK, see Authorize access to Azure Databricks resources or the tool's or SDK's documentation. See also Environment variables and fields for unified authentication and the Authentication method priority.
Set the following environment variables:
DATABRICKS_HOST, set to the Azure Databricks per-workspace URL, for examplehttps://adb-1234567890123456.7.databricks.azure.cn.DATABRICKS_TOKEN, set to the token string.
Profile
Create or identify an Azure Databricks configuration profile with the following fields in your .databrickscfg file. If you create the profile, replace the placeholders with the appropriate values. To use the profile with a tool or SDK, see Authorize access to Azure Databricks resources or the tool's or SDK's documentation. See also Environment variables and fields for unified authentication and the Authentication method priority.
Set the following values in your .databrickscfg file. In this case, the host is the Azure Databricks per-workspace URL, for example https://adb-1234567890123456.7.databricks.azure.cn:
[<some-unique-configuration-profile-name>]
host = <workspace-url>
token = <token>
Instead of manually setting the values, you can use the Databricks CLI to set these values instead:
Note
The following procedure uses the Databricks CLI to create an Azure Databricks configuration profile with the name DEFAULT. If you already have a DEFAULT configuration profile, this procedure overwrites your existing DEFAULT configuration profile.
To check whether you already have a DEFAULT configuration profile, and to view this profile's settings if it exists, use the Databricks CLI to run the command databricks auth env --profile DEFAULT.
To create a configuration profile with a name other than DEFAULT, replace the DEFAULT part of --profile DEFAULT in the following databricks configure command with a different name for the configuration profile.
Use the Databricks CLI to create an Azure Databricks configuration profile named
DEFAULTthat uses Azure Databricks personal access token authentication. To do this, run the following command:databricks configure --profile DEFAULTFor the prompt Databricks Host, enter your Azure Databricks per-workspace URL, for example
https://adb-1234567890123456.7.databricks.azure.cn.For the prompt Personal Access Token, enter the Azure Databricks personal access token for your workspace.
CLI
For the Databricks CLI, run the databricks configure command. At the prompts, enter the following settings:
- The Azure Databricks host, specified as the target Azure Databricks per-workspace URL, for example
https://adb-1234567890123456.7.databricks.azure.cn. - The Azure Databricks personal access token for the Azure Databricks user account.
For more information, see Personal access token authentication (deprecated).
Connect
Note
Azure Databricks personal access token authentication is supported on the following Databricks Connect versions:
- For Python, Databricks Connect for Databricks Runtime 13.3 LTS and above.
- For Scala, Databricks Connect for Databricks Runtime 13.3 LTS and above.
For Databricks Connect, use the Databricks CLI to set the values in your .databrickscfg file, for Azure Databricks workspace-level operations as specified in the Profile section.
The following procedure creates an Azure Databricks configuration profile named DEFAULT, which overwrites any existing DEFAULT profile. To check if a DEFAULT profile exists, run databricks auth env --profile DEFAULT. If it exists, use a different profile name.
Run the following command to create an Azure Databricks configuration profile named
DEFAULTthat uses personal access token authentication.databricks configure --configure-cluster --profile DEFAULTFor the prompt Databricks Host, enter your Azure Databricks per-workspace URL, for example
https://adb-1234567890123456.7.databricks.azure.cn.For the prompt Personal Access Token, enter the personal access token for your workspace.
In the list of available clusters, select the target Azure Databricks cluster in your workspace. You can type any part of the cluster's display name to filter the list of available clusters.
Use the Azure Databricks REST API to issue personal access tokens
Azure Databricks provides a REST endpoint /api/2.0/token/create to issue PATs. See Create a user token for API details.
In the following example, set these values:
<databricks-instance>: Your Databricks workspace URL. For example,dbc-abcd1234-5678.cloud.databricks.com.<your-existing-access-token>: An existing valid PAT (string) that has permissions to create new tokens.<lifetime-seconds>: The token's lifetime in seconds.
curl -X POST https://<databricks-instance>/api/2.0/token/create \
-H "Authorization: Bearer <your-existing-access-token>" \
-H "Content-Type: application/json" \
-d '{
"lifetime_seconds": <lifetime-seconds>
}'
If successful, this results in a response payload similar to:
{
"access_token": "<your-newly-issued-pat>",
"token_type": "Bearer",
"expires_in": <the-duration-of-the-new-pat>
}
Provide the new token from the response in the Authorization header of subsequent calls to Databricks REST APIs. For example:
# This example uses a simple GET. For POST or other REST verbs, you may need to provide additional parameters.
curl -X GET "https://<databricks-instance>/api/2.0/<path-to-endpoint>" \
-H "Authorization: Bearer <your-new-pat>"
import requests
headers = {
'Authorization': 'Bearer <your-new-pat>'
}
# This example is for an HTTP GET operation.
response = requests.get('https://<databricks-instance>/api/2.0/<path-to-endpoint>', headers=headers)