Skip to main content
All CollectionsSystem Setup Guides
Databricks Connection Setup
Databricks Connection Setup
Updated over a week ago

Adding Service Principal to Access Databricks

  • Create a user group for the service principal

    • Go to Admin Console page

    • Click Groups → Create Group

  • Put a name for the group and click create

  • After creating the group, go to Entitlements section, and enable “Databricks SQL access”

  • Go to Edit group page (Admin Console → Groups → click group name)

  • Save the group id in Url (Url pattern: accounts/groups/<groupId>)

  • Create a service principal

    • Before using API to create a service principal, get AccessToken for calling the API. (Go to User Setting → Access tokens → Generate new token

  • Save the token for all API calls below. (Set for Bearer token for API call)

  • Create Service Principle

    • curl --location --request POST '<Databricks_Workspace_Endpoint>/api/2.0/preview/scim/v2/ServicePrincipals' \
      --header 'Authorization: Bearer <Access_Token>' \
      --header 'Content-Type: application/json' \
      --data-raw '{
      "displayName": "<Display_Name>",
      "entitlements": [
      {
      "value": "databricks-sql-access"
      }
      ],
      "groups": [
      {
      "value": "<Group_Id>"
      }
      ],
      "schemas": [
      "urn:ietf:params:scim:schemas:core:2.0:ServicePrincipal"
      ]
      }'

  • Response sample

    • {
      "displayName": ""<Display_Name>",
      "groups": [
      {
      "display": "service_principal",
      "type": "direct",
      "value": "<Group Id>",
      "$ref": "Groups/<Group Id>"
      }
      ],
      "id": "<Service_Principal_Id>",
      "entitlements": [
      {
      "value": "databricks-sql-access"
      }
      ],
      "applicationId": "<Application_Id>",
      "schemas": [
      "urn:ietf:params:scim:schemas:core:2.0:ServicePrincipal"
      ],
      "active": true
      }

  • Create an Access token for Service Principal:

    • curl --location --request POST '<Databricks_Workspace_Endpoint>/api/2.0/token-management/on-behalf-of/tokens' \
      --header 'Authorization: Bearer <Access_Token>' \
      --header 'Content-Type: application/json' \
      --data-raw '{
      "application_id": "<Application_Id>",
      "comment": "<Any Comments>",
      "lifetime_seconds": 15552000
      }'

    • <Application_Id> is from the response when creating a service principal.

    • lifetime_seconds is the seconds this token is valid (Preferred 15552000 is 180 days)

    • Sample response

    • {
      "token_value": "<Token_Value>",
      "token_info": {
      "token_id": "<Token_Id>",
      "creation_time": 1666291396808,
      "expiry_time": 1668883396808,
      "comment": "<Comments In Create API>",
      "created_by_id": <Creator_User_Id>,
      "created_by_username": "[email protected]",
      "owner_id": <Owner_Id>
      }
      }

    • Save the Token_Value, this will be used to setup Databricks connection in Savant.

  • Give permission to a service principal to use tokens

    • Use SQL view

    • Go to Data Explorer → Select Catalog & Schema → Permissions → Click Grant

  • Select Service Principal as the user

  • Grant permission. (Minimum set for reading:<`SELECT, READ_METADATA, USAGE`>, Minimum set as destination reading + <`MODIFY, CREATE`>)

  • In SQL editor grant file select permission to Service Principal account

    • GRANT SELECT ON ANY FILE TO <Service Principal Id>

Setup Databricks data connection in Savant

  • Use SQL view

  • Go to SQL Warehouses → select the warehouse → Connection details

    • E.g.

  • Copy the info on this page to the corresponding column in Savant, and use the Token_Value to authenticate.

Connection Info

  • Select the SQL Warehouses tab from the side panel and choose the desired warehouse.

  • Select the Connection Details tab to view connection info.

  • These details will be used to create database authentication along with email and access token.


Did this answer your question?