Are your production jobs and CI/CD pipelines still authenticating with "somebody's personal account"? When that engineer leaves, their token is revoked and every pipeline depending on it grinds to a halt — this is a real incident that happens at many organizations.Service Principals solve this problem by acting as machine-only identities. They are used by applications, automation processes, and CI/CD tools — not humans — to call the Databricks API.
This article walks through everything you need from both practical and exam perspectives (Data Engineer Associate / Professional): creating Service Principals, OAuth M2M authentication, granting Unity Catalog permissions, CI/CD integration, and how they compare to PATs.
A Service Principal is a non-human security principal managed at the Databricks account level. Just like a human user, it can be granted permissions via Unity Catalog GRANT/REVOKE, and its operations are recorded in the audit logs. The main differences from human users are:
There are three ways to create a Service Principal. Choose based on the size of your environment and operational policy.
Account Console → User Management → Service Principals → Add service principal. Best suited for small environments and initial validation. You can also assign the SP to workspaces from the UI.
# Create a Service Principal via the SCIM API
curl -X POST "https://accounts.cloud.databricks.com/api/2.0/accounts/<account_id>/scim/v2/ServicePrincipals" \
-H "Authorization: Bearer <admin_token>" \
-H "Content-Type: application/json" \
-d '{
"displayName": "cicd-pipeline-sp",
"entitlements": [
{ "value": "workspace-access" }
]
}'
# Extract applicationId from the response
# → "applicationId": "12345678-abcd-efgh-ijkl-123456789012"resource "databricks_service_principal" "cicd_sp" {
display_name = "cicd-pipeline-sp"
}
resource "databricks_service_principal_role" "cicd_sp_role" {
service_principal_id = databricks_service_principal.cicd_sp.id
role = "roles/workspace.user"
}
# Assign the SP to a workspace
resource "databricks_mws_permission_assignment" "cicd_ws" {
workspace_id = var.workspace_id
principal_id = databricks_service_principal.cicd_sp.id
permissions = ["USER"]
}Terraform is the most recommended approach for managing Service Principals in production. Creation, permission grants, and workspace assignment are all managed as code, with full change history tracked in Git.
For Service Principals calling the Databricks API, OAuth Machine-to-Machine (M2M) is the recommended authentication method. It is based on the OAuth 2.0 Client Credentials Grant flow.
# Step 1: Generate a secret for the Service Principal (Account Console or API)
# → Client ID: <application_id>
# → Client Secret: <generated_secret>
# Step 2: Request a token from the OAuth token endpoint
curl -X POST "https://<workspace_url>/oidc/v1/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-d "client_id=<application_id>" \
-d "client_secret=<generated_secret>" \
-d "scope=all-apis"
# Step 3: Use the access_token from the response for API calls
# {
# "access_token": "eyJhbGciOiJSUzI1NiIs...",
# "token_type": "Bearer",
# "expires_in": 3600
# }
# Step 4: Call the API with the acquired token
curl -X GET "https://<workspace_url>/api/2.0/clusters/list" \
-H "Authorization: Bearer eyJhbGciOiJSUzI1NiIs..."OAuth M2M tokens have a built-in expiration (1 hour by default) and must be re-acquired when they expire. This avoids the risk of holding long-lived tokens like PATs and provides a significant security advantage.
Granting Unity Catalog permissions to a Service Principal uses the same GRANT statements as for human users. Following the principle of least privilege, grant SELECT/MODIFY only on the tables the job actually accesses.
-- Grant least-privilege permissions to an ETL job SP
GRANT USAGE ON CATALOG production TO `cicd-pipeline-sp`;
GRANT USAGE ON SCHEMA production.sales TO `cicd-pipeline-sp`;
GRANT SELECT ON TABLE production.sales.raw_orders TO `cicd-pipeline-sp`;
GRANT MODIFY ON TABLE production.sales.cleaned_orders TO `cicd-pipeline-sp`;
-- Permission to create new tables in the schema
GRANT CREATE TABLE ON SCHEMA production.sales TO `cicd-pipeline-sp`;
-- Verify granted permissions
SHOW GRANTS TO `cicd-pipeline-sp`;An example of triggering a Databricks job from GitHub Actions. Store the Service Principal's Client ID and Client Secret in GitHub Secrets, and acquire an OAuth token inside the workflow.
# .github/workflows/deploy-databricks-job.yml
name: Deploy Databricks Job
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Databricks CLI
run: pip install databricks-cli
- name: Configure Databricks Auth
env:
DATABRICKS_HOST: ${{ secrets.DATABRICKS_HOST }}
DATABRICKS_CLIENT_ID: ${{ secrets.SP_CLIENT_ID }}
DATABRICKS_CLIENT_SECRET: ${{ secrets.SP_CLIENT_SECRET }}
run: |
databricks configure --host $DATABRICKS_HOST \
--client-id $DATABRICKS_CLIENT_ID \
--client-secret $DATABRICKS_CLIENT_SECRET
- name: Deploy Job
run: databricks jobs create --json @job-definition.json| Criterion | Personal Access Token (PAT) | OAuth M2M (Service Principal) |
|---|---|---|
| Bound to | A human user account | A Service Principal (machine identity) |
| Expiration | Can be set to never expire (high risk) | Tokens expire quickly (1 hour by default) |
| Permission scope | Inherits all of the user's permissions | Can be restricted to least privilege via GRANT/REVOKE |
| When the person leaves or moves teams | Disabling the user revokes the token, breaking any automation that depends on it | Unaffected by HR changes |
| Auditability | Only recorded as 'User A's PAT' | Operations are recorded under the Service Principal's name |
| Recommended use | Personal development and temporary manual tasks | CI/CD, jobs, automation, and production operations |
| Management overhead | Token management is fragmented per user | Centrally managed via Terraform/SCIM |
Service Principals are an important topic on both Data Engineer Associate and Professional exams. Lock in these patterns:
Data Engineer / Security
問題 1
A production ETL job authenticates with Data Engineer A's Personal Access Token (PAT). What should the administrator do to keep the job running reliably after Engineer A leaves the company?
正解: B
A Service Principal is a machine-only identity that does not depend on any human user, so it is unaffected when employees leave. OAuth M2M tokens are more secure than PATs because they expire quickly, and GRANT/REVOKE lets you scope to least privilege. Option A is itself a security problem (audit logs end up attributing actions to the wrong subject). Option C — keeping a former employee's account active — is a compliance violation. Option D's No Isolation Shared Mode is not compatible with Unity Catalog, and running with no authentication is never acceptable from a security standpoint.
What is the difference between a Service Principal and a Personal Access Token (PAT)?
A PAT is an authentication token tied to a human user account that inherits all of that user's permissions. A Service Principal is an application-only identity that can be scoped to least-privilege permissions via GRANT/REVOKE. PATs must be revoked when the user leaves the organization and make it hard to attribute who used the token. Service Principal + OAuth M2M tokens are recommended for CI/CD and job automation.
What permissions are required to create a Service Principal?
Creating a Service Principal at the Databricks account level requires Account Admin privileges. Adding one to a workspace requires Workspace Admin. Programmatic creation via SCIM API requires the same admin privileges. Automated provisioning with the Terraform databricks_service_principal resource is also possible; in that case, the Service Principal that runs Terraform itself must have Account Admin privileges.
Can a single Service Principal be shared across multiple workspaces?
Yes. Service Principals are created at the account level and can be assigned to any workspaces that need them. For example, you can add a single CI/CD Service Principal to dev, staging, and prod workspaces and grant different permissions per workspace. Unity Catalog permissions are granted at the metastore level, so cross-workspace data access control is also centrally managed.
Practice with certification-focused question sets
無料で問題を解いてみるNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
Databricks Certifications: All 7 Exams, Difficulty & Study Plan (2026)
Complete guide to all 7 Databricks certifications — Data Eng...
Databricks Exam Difficulty Ranking: All 7 Certs Compared (2026)
Every Databricks certification ranked by difficulty, with st...
Databricks Study Guide: Fastest Pass Route & Time Estimates (2026)
How to pass Databricks certifications efficiently. Official ...
Databricks Data Engineer Associate: Complete Guide (2026)
Domain-by-domain breakdown of the Databricks Certified Data ...
Databricks Data Engineer Professional: Complete Guide (2026)
Tactics for the Databricks Certified Data Engineer Professio...