Databricks

Databricks Service Principals for Practice and Exams: Machine Accounts, Automation, Delegated Permissions

2026-03-26
更新: 2026-03-27
NicheeLab Editorial Team

Are your production jobs and CI/CD pipelines still authenticating with "somebody's personal account"? When that engineer leaves, their token is revoked and every pipeline depending on it grinds to a halt — this is a real incident that happens at many organizations.Service Principals solve this problem by acting as machine-only identities. They are used by applications, automation processes, and CI/CD tools — not humans — to call the Databricks API.

This article walks through everything you need from both practical and exam perspectives (Data Engineer Associate / Professional): creating Service Principals, OAuth M2M authentication, granting Unity Catalog permissions, CI/CD integration, and how they compare to PATs.

What is a Service Principal?

A Service Principal is a non-human security principal managed at the Databricks account level. Just like a human user, it can be granted permissions via Unity Catalog GRANT/REVOKE, and its operations are recorded in the audit logs. The main differences from human users are:

  • No interactive login (UI/SSO). Authenticates only via API.
  • Identified by an Application ID, not a personal email address.
  • Not affected by people leaving or moving teams. Eliminates the risk of pipelines stopping due to HR changes.
  • Makes it easy to apply the principle of least privilege — scope permissions only to the tables and jobs that are actually needed.

How to Create a Service Principal

There are three ways to create a Service Principal. Choose based on the size of your environment and operational policy.

Method 1: Databricks UI (Admin Console)

Account Console → User Management → Service Principals → Add service principal. Best suited for small environments and initial validation. You can also assign the SP to workspaces from the UI.

Method 2: SCIM API (Programmatic)

# Create a Service Principal via the SCIM API
curl -X POST "https://accounts.cloud.databricks.com/api/2.0/accounts/<account_id>/scim/v2/ServicePrincipals" \
  -H "Authorization: Bearer <admin_token>" \
  -H "Content-Type: application/json" \
  -d '{
    "displayName": "cicd-pipeline-sp",
    "entitlements": [
      { "value": "workspace-access" }
    ]
  }'

# Extract applicationId from the response
# → "applicationId": "12345678-abcd-efgh-ijkl-123456789012"

Method 3: Terraform (IaC-Managed)

resource "databricks_service_principal" "cicd_sp" {
  display_name = "cicd-pipeline-sp"
}

resource "databricks_service_principal_role" "cicd_sp_role" {
  service_principal_id = databricks_service_principal.cicd_sp.id
  role                 = "roles/workspace.user"
}

# Assign the SP to a workspace
resource "databricks_mws_permission_assignment" "cicd_ws" {
  workspace_id = var.workspace_id
  principal_id = databricks_service_principal.cicd_sp.id
  permissions  = ["USER"]
}

Terraform is the most recommended approach for managing Service Principals in production. Creation, permission grants, and workspace assignment are all managed as code, with full change history tracked in Git.

OAuth M2M Token Acquisition Flow

For Service Principals calling the Databricks API, OAuth Machine-to-Machine (M2M) is the recommended authentication method. It is based on the OAuth 2.0 Client Credentials Grant flow.

# Step 1: Generate a secret for the Service Principal (Account Console or API)
# → Client ID: <application_id>
# → Client Secret: <generated_secret>

# Step 2: Request a token from the OAuth token endpoint
curl -X POST "https://<workspace_url>/oidc/v1/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=<application_id>" \
  -d "client_secret=<generated_secret>" \
  -d "scope=all-apis"

# Step 3: Use the access_token from the response for API calls
# {
#   "access_token": "eyJhbGciOiJSUzI1NiIs...",
#   "token_type": "Bearer",
#   "expires_in": 3600
# }

# Step 4: Call the API with the acquired token
curl -X GET "https://<workspace_url>/api/2.0/clusters/list" \
  -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIs..."

OAuth M2M tokens have a built-in expiration (1 hour by default) and must be re-acquired when they expire. This avoids the risk of holding long-lived tokens like PATs and provides a significant security advantage.

Granting Unity Catalog Permissions

Granting Unity Catalog permissions to a Service Principal uses the same GRANT statements as for human users. Following the principle of least privilege, grant SELECT/MODIFY only on the tables the job actually accesses.

-- Grant least-privilege permissions to an ETL job SP
GRANT USAGE ON CATALOG production TO `cicd-pipeline-sp`;
GRANT USAGE ON SCHEMA production.sales TO `cicd-pipeline-sp`;
GRANT SELECT ON TABLE production.sales.raw_orders TO `cicd-pipeline-sp`;
GRANT MODIFY ON TABLE production.sales.cleaned_orders TO `cicd-pipeline-sp`;

-- Permission to create new tables in the schema
GRANT CREATE TABLE ON SCHEMA production.sales TO `cicd-pipeline-sp`;

-- Verify granted permissions
SHOW GRANTS TO `cicd-pipeline-sp`;

CI/CD Integration (GitHub Actions Example)

An example of triggering a Databricks job from GitHub Actions. Store the Service Principal's Client ID and Client Secret in GitHub Secrets, and acquire an OAuth token inside the workflow.

# .github/workflows/deploy-databricks-job.yml
name: Deploy Databricks Job
on:
  push:
    branches: [main]
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Install Databricks CLI
        run: pip install databricks-cli
      - name: Configure Databricks Auth
        env:
          DATABRICKS_HOST: ${{ secrets.DATABRICKS_HOST }}
          DATABRICKS_CLIENT_ID: ${{ secrets.SP_CLIENT_ID }}
          DATABRICKS_CLIENT_SECRET: ${{ secrets.SP_CLIENT_SECRET }}
        run: |
          databricks configure --host $DATABRICKS_HOST \
            --client-id $DATABRICKS_CLIENT_ID \
            --client-secret $DATABRICKS_CLIENT_SECRET
      - name: Deploy Job
        run: databricks jobs create --json @job-definition.json

PAT vs OAuth M2M Comparison

CriterionPersonal Access Token (PAT)OAuth M2M (Service Principal)
Bound toA human user accountA Service Principal (machine identity)
ExpirationCan be set to never expire (high risk)Tokens expire quickly (1 hour by default)
Permission scopeInherits all of the user's permissionsCan be restricted to least privilege via GRANT/REVOKE
When the person leaves or moves teamsDisabling the user revokes the token, breaking any automation that depends on itUnaffected by HR changes
AuditabilityOnly recorded as 'User A's PAT'Operations are recorded under the Service Principal's name
Recommended usePersonal development and temporary manual tasksCI/CD, jobs, automation, and production operations
Management overheadToken management is fragmented per userCentrally managed via Terraform/SCIM

Least-Privilege Design Best Practices

  • Separate Service Principals by purpose: create dedicated SPs for ETL, model serving, CI/CD, etc., and grant each only the minimum permissions it needs.
  • Do not use ALL PRIVILEGES: granting ALL PRIVILEGES for convenience dramatically widens the blast radius if the SP's credentials are ever leaked.
  • Do not use PATs for production automation: restrict PATs to personal development and debugging, and use OAuth M2M for automation.
  • Store Client Secrets in a secret store: store them in Databricks Secret Scope or a cloud secret manager (AWS Secrets Manager / Azure Key Vault). Never hard-code them in source or CI/CD configuration.
  • Periodic review: periodically review Service Principals and their permissions, and disable any SPs that are no longer in use.

Exam Focus Areas

Service Principals are an important topic on both Data Engineer Associate and Professional exams. Lock in these patterns:

  • "How do you securely call the Databricks API from a CI/CD pipeline?" → Service Principal + OAuth M2M
  • "How do you prevent jobs from breaking when an engineer leaves?" → Use a Service Principal instead of a PAT
  • "Which principal is specified for a job cluster in Single User mode?" → The job owner or a Service Principal
  • "How do you allow a Service Principal to access a table?" → GRANT USAGE + GRANT SELECT

Check Your Understanding

Data Engineer / Security

問題 1

A production ETL job authenticates with Data Engineer A's Personal Access Token (PAT). What should the administrator do to keep the job running reliably after Engineer A leaves the company?

  1. Hand Engineer A's PAT off to another team member and reissue the token under that member's name
  2. Create a Service Principal, switch the job's authentication to OAuth M2M tokens, and GRANT the minimum required Unity Catalog permissions
  3. Keep Engineer A's account active after they leave and set the PAT to never expire
  4. Remove authentication from the job and change the cluster Access Mode to No Isolation Shared Mode to run without authentication

正解: B

A Service Principal is a machine-only identity that does not depend on any human user, so it is unaffected when employees leave. OAuth M2M tokens are more secure than PATs because they expire quickly, and GRANT/REVOKE lets you scope to least privilege. Option A is itself a security problem (audit logs end up attributing actions to the wrong subject). Option C — keeping a former employee's account active — is a compliance violation. Option D's No Isolation Shared Mode is not compatible with Unity Catalog, and running with no authentication is never acceptable from a security standpoint.

Frequently Asked Questions

What is the difference between a Service Principal and a Personal Access Token (PAT)?

A PAT is an authentication token tied to a human user account that inherits all of that user's permissions. A Service Principal is an application-only identity that can be scoped to least-privilege permissions via GRANT/REVOKE. PATs must be revoked when the user leaves the organization and make it hard to attribute who used the token. Service Principal + OAuth M2M tokens are recommended for CI/CD and job automation.

What permissions are required to create a Service Principal?

Creating a Service Principal at the Databricks account level requires Account Admin privileges. Adding one to a workspace requires Workspace Admin. Programmatic creation via SCIM API requires the same admin privileges. Automated provisioning with the Terraform databricks_service_principal resource is also possible; in that case, the Service Principal that runs Terraform itself must have Account Admin privileges.

Can a single Service Principal be shared across multiple workspaces?

Yes. Service Principals are created at the account level and can be assigned to any workspaces that need them. For example, you can add a single CI/CD Service Principal to dev, staging, and prod workspaces and grant different permissions per workspace. Unity Catalog permissions are granted at the metastore level, so cross-workspace data access control is also centrally managed.

Check what you learned with practice questions

Practice with certification-focused question sets

無料で問題を解いてみる
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Databricks

Databricks Certifications: All 7 Exams, Difficulty & Study Plan (2026)

Complete guide to all 7 Databricks certifications — Data Eng...

Databricks

Databricks Exam Difficulty Ranking: All 7 Certs Compared (2026)

Every Databricks certification ranked by difficulty, with st...

Databricks

Databricks Study Guide: Fastest Pass Route & Time Estimates (2026)

How to pass Databricks certifications efficiently. Official ...

Databricks

Databricks Data Engineer Associate: Complete Guide (2026)

Domain-by-domain breakdown of the Databricks Certified Data ...

Databricks

Databricks Data Engineer Professional: Complete Guide (2026)

Tactics for the Databricks Certified Data Engineer Professio...

Browse all Databricks articles (110)
© 2026 NicheeLab All rights reserved.