This reference lists environment variables and configuration fields for Databricks unified authentication. They work consistently across the Databricks CLI, Terraform provider, and SDKs for Python, Java, and Go.
Use this reference to set up authentication or troubleshoot authentication issues. Each entry includes:
- Environment variable: Set this in your shell environment.
.databrickscfgfield: Use this in configuration profiles.- Terraform field: Configure this in your Terraform provider block. See Authentication in the Databricks Terraform provider documentation.
Configfield: Use this when configuring SDKs programmatically with theConfigAPI.
General configuration fields
These variables configure basic connection and compute settings for Databricks.
| Common name | Description | Environment variable | .databrickscfg field, Terraform field |
Config field |
|---|---|---|---|---|
| Azure Databricks host | (String) The Azure Databricks host URL for either the Azure Databricks workspace endpoint or the Azure Databricks accounts endpoint. | DATABRICKS_HOST |
host |
host (Python)setHost (Java)Host (Go) |
| Azure Databricks token | (String) The Azure Databricks personal access token or Microsoft Entra ID token. | DATABRICKS_TOKEN |
token |
token (Python)setToken (Java)Token (Go) |
| Azure Databricks account ID | (String) The Azure Databricks account ID for the Azure Databricks account endpoint. Only has effect when the Azure Databricks host is also set to https://accounts.databricks.azure.cn. |
DATABRICKS_ACCOUNT_ID |
account_id |
account_id (Python)setAccountID (Java)AccountID (Go) |
| Cluster ID | (String) The ID of the cluster to use | DATABRICKS_CLUSTER_ID |
cluster_id |
cluster_id |
| Common name | Description | Environment variable | .databrickscfg field, Terraform field |
Config field |
|---|---|---|---|---|
| Azure client ID | (String) The Microsoft Entra ID service principal's application ID. Use with Azure managed identities authentication and Microsoft Entra ID service principal authentication. | ARM_CLIENT_ID |
azure_client_id |
azure_client_id (Python)setAzureClientID (Java)AzureClientID (Go) |
| Azure client secret | (String) The Microsoft Entra ID service principal's client secret. Use with a Microsoft Entra ID service principal authentication. | ARM_CLIENT_SECRET |
azure_client_secret |
azure_client_secret (Python)setAzureClientSecret (Java)AzureClientSecret (Go) |
| Client ID | (String) The client ID of the Azure Databricks managed service principal or Microsoft Entra ID managed service principal. Use with OAuth M2M authentication. | DATABRICKS_CLIENT_ID |
client_id |
client_id (Python)setClientId (Java)ClientId (Go) |
| Client secret | (String) The client secret of the Azure Databricks managed service principal or Microsoft Entra ID managed service principal. Use with OAuth M2M authentication. | DATABRICKS_CLIENT_SECRET |
client_secret |
client_secret (Python)setClientSecret (Java)ClientSecret (Go) |
| Azure environment | (String) The Azure environment type. Defaults to PUBLIC. |
ARM_ENVIRONMENT |
azure_environment |
azure_environment (Python)setAzureEnvironment (Java)AzureEnvironment (Go) |
| Azure tenant ID | (String) The Microsoft Entra ID service principal's tenant ID. | ARM_TENANT_ID |
azure_tenant_id |
azure_tenant_id (Python)setAzureTenantID (Java)AzureTenantID (Go) |
| Azure use MSI | (Boolean) True to use Azure Managed Service Identity passwordless authentication flow for service principals. Requires the Azure resource ID to also be set. | ARM_USE_MSI |
azure_use_msi |
AzureUseMSI (Go) |
| Azure resource ID | (String) The Azure Resource Manager ID for the Azure Databricks workspace. | DATABRICKS_AZURE_RESOURCE_ID |
azure_workspace_resource_id |
azure_workspace_resource_id (Python)setAzureResourceID (Java)AzureResourceID (Go) |
.databrickscfg-specific fields
Use these environment variables or fields to specify non-default settings for .databrickscfg. See also Azure Databricks configuration profiles.
| Common name | Description | Environment variable | Terraform field | Config field |
|---|---|---|---|---|
.databrickscfg file path |
(String) A non-default path to the .databrickscfg file. |
DATABRICKS_CONFIG_FILE |
config_file |
config_file (Python)setConfigFile (Java)ConfigFile (Go) |
.databrickscfg default profile |
(String) The default named profile to use, other than DEFAULT. |
DATABRICKS_CONFIG_PROFILE |
profile |
profile (Python)setProfile (Java)Profile (Go) |
Authentication fields
Use these environment variables or fields to enforce a specific type of Databricks authentication.
| Common name | Description | Environment variable | Terraform field | Config field |
|---|---|---|---|---|
| Databricks authentication type | (String) When multiple authentication attributes are available in the environment, use the authentication type specified by this argument. See Supported authentication types. | DATABRICKS_AUTH_TYPE |
auth_type |
auth_type (Python)setAuthType (Java)AuthType (Go) |
| OIDC token environment variable | (String) The name of the environment variable that contains your IdP-issued OIDC token. Used with env-oidc authentication type. Defaults to DATABRICKS_OIDC_TOKEN. |
DATABRICKS_OIDC_TOKEN_ENV |
oidc_token_env |
oidc_token_env (Python)setOIDCTokenEnv (Java)OIDCTokenEnv (Go) |
| OIDC token file path | (String) The path to a local file that contains your IdP-issued OIDC token. Used with file-oidc authentication type. |
DATABRICKS_OIDC_TOKEN_FILEPATH |
oidc_token_filepath |
oidc_token_filepath (Python)setOIDCTokenFilepath (Java)OIDCTokenFilepath (Go) |
Supported authentication types
Supported Databricks authentication type field values include:
oauth-m2m: Use for machine-to-machine (M2M) authentication with a Databricks service principal through OAuth 2.0. See Authorize service principal access to Azure Databricks with OAuth.pat: Use if you authenticate with a Databricks personal access token. See Azure Databricks personal access token authentication (legacy).databricks-cli: Use if you're signing in interactively with the Databricks CLI and OAuth 2.0. See Authorize user access to Azure Databricks with OAuth.oidc-token: Use for token federation with an identity provider (IdP), where Databricks exchanges an IdP-issued OIDC token for a Databricks OAuth token. See Authenticate access to Azure Databricks using OAuth token federation.env-oidc: Use if your IdP token is stored in an environment variable (defaults toDATABRICKS_OIDC_TOKEN). See Authenticate access to Azure Databricks using OAuth token federation.file-oidc: Use if your IdP token is stored in a local file, referenced byDATABRICKS_OIDC_TOKEN_FILEPATH. See Authenticate access to Azure Databricks using OAuth token federation.github-oidc: Use for GitHub Actions federated authentication, where GitHub issues an OIDC token that Databricks exchanges for a Databricks OAuth token. For an example, see Enable workload identity federation in CI/CD.
azure-msi: Use if you're using an Azure Managed Service Identity (MSI). For more details, see Azure managed identities authentication.azure-client-secret: Use if you're using an Azure service principal with client secrets. For more details, see MS Entra service principal authentication.