Adding Service Principal to Access Databricks
Create a user group for the service principal
Go to Admin Console page
Click Groups → Create Group
Put a name for the group and click create
After creating the group, go to Entitlements section, and enable “Databricks SQL access”
Go to Edit group page (Admin Console → Groups → click group name)
Save the group id in Url (Url pattern: accounts/groups/<groupId>)
Create a service principal
Before using API to create a service principal, get AccessToken for calling the API. (Go to User Setting → Access tokens → Generate new token
Save the token for all API calls below. (Set for Bearer token for API call)
Create Service Principle
curl --location --request POST '<Databricks_Workspace_Endpoint>/api/2.0/preview/scim/v2/ServicePrincipals' \
--header 'Authorization: Bearer <Access_Token>' \
--header 'Content-Type: application/json' \
--data-raw '{
"displayName": "<Display_Name>",
"entitlements": [
{
"value": "databricks-sql-access"
}
],
"groups": [
{
"value": "<Group_Id>"
}
],
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:ServicePrincipal"
]
}'
Response sample
{
"displayName": ""<Display_Name>",
"groups": [
{
"display": "service_principal",
"type": "direct",
"value": "<Group Id>",
"$ref": "Groups/<Group Id>"
}
],
"id": "<Service_Principal_Id>",
"entitlements": [
{
"value": "databricks-sql-access"
}
],
"applicationId": "<Application_Id>",
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:ServicePrincipal"
],
"active": true
}
Create an Access token for Service Principal:
curl --location --request POST '<Databricks_Workspace_Endpoint>/api/2.0/token-management/on-behalf-of/tokens' \
--header 'Authorization: Bearer <Access_Token>' \
--header 'Content-Type: application/json' \
--data-raw '{
"application_id": "<Application_Id>",
"comment": "<Any Comments>",
"lifetime_seconds": 15552000
}'<Application_Id> is from the response when creating a service principal.
lifetime_seconds is the seconds this token is valid (Preferred 15552000 is 180 days)
Sample response
{
"token_value": "<Token_Value>",
"token_info": {
"token_id": "<Token_Id>",
"creation_time": 1666291396808,
"expiry_time": 1668883396808,
"comment": "<Comments In Create API>",
"created_by_id": <Creator_User_Id>,
"created_by_username": "[email protected]",
"owner_id": <Owner_Id>
}
}Save the Token_Value, this will be used to setup Databricks connection in Savant.
Give permission to a service principal to use tokens
Use SQL view
Go to Data Explorer → Select Catalog & Schema → Permissions → Click Grant
Select Service Principal as the user
Grant permission. (Minimum set for reading:<`SELECT, READ_METADATA, USAGE`>, Minimum set as destination reading + <`MODIFY, CREATE`>)
In SQL editor grant file select permission to Service Principal account
GRANT SELECT ON ANY FILE TO
<Service Principal Id>
Setup Databricks data connection in Savant
Use SQL view
Go to SQL Warehouses → select the warehouse → Connection details
E.g.
Copy the info on this page to the corresponding column in Savant, and use the Token_Value to authenticate.
Connection Info
Select the SQL Warehouses tab from the side panel and choose the desired warehouse.
Select the Connection Details tab to view connection info.
These details will be used to create database authentication along with email and access token.