Databricks

Databricks Workload Identity Federation Guide

2026-03-26
更新: 2026-03-27
NicheeLab Editorial Team

When a Databricks cluster needs to access an S3 bucket or ADLS Gen2 storage in a cloud environment, the traditional approach was to "hold a secret" — for example, an access key or an Instance Profile. Workload Identity Federation (WIF) uses the cloud provider's identity mechanisms to authenticate without holding any secret (keyless).

This article walks through the WIF concept, a comparison of how it is implemented on AWS, Azure, and GCP, the background of Instance Profile deprecation, and how WIF integrates with Unity Catalog.

Why Keyless Authentication Matters

Traditional cloud access methods each carry their own security risks.

Traditional methodHow it worksRisk
Access keys (AWS) / Service account keys (GCP)Store long-lived static keys in environment variables or secretsIf leaked, access lasts indefinitely; rotation overhead is also high
Instance Profile (AWS)Assign an IAM Role to an EC2 instanceThe same permissions apply to the entire cluster; fine-grained control is hard
Storage account keys (Azure)Use a shared key for the storage accountIf the key leaks, all data in the account becomes accessible

WIF structurally eliminates these risks by removing static secrets and authenticating with short-lived, identity-based credentials from the cloud provider.

WIF Implementation Compared Across Three Clouds

AspectAWSAzureGCP
WIF mechanismIAM Role + Trust Policy (OIDC Federation)Managed Identity / Federated CredentialWorkload Identity Federation (OIDC/SAML)
Where it is applied in DatabricksUnity Catalog Storage CredentialUnity Catalog Storage Credential / Access ConnectorUnity Catalog Storage Credential
Secret managementNot required (STS temporary tokens fetched automatically)Not required (Azure AD tokens fetched automatically)Not required (GCP tokens fetched automatically)
Traditional method (deprecated)Instance ProfileStorage account keysService account keys
GranularitySpecify an IAM Role per Storage CredentialSpecify a Managed Identity per Access ConnectorSpecify a service account per Storage Credential

WIF Setup Flow on AWS

On AWS, you configure a Trust Policy on an IAM Role so it trusts the Databricks OIDC provider.

  1. Create an IAM Role: Create an IAM Role that grants S3 bucket access permissions (GetObject/PutObject/DeleteObject/ListBucket)
  2. Add Databricks to the Trust Policy: Configure a condition that trusts the OIDC provider ARN of your Databricks account
  3. Create a Storage Credential in Unity Catalog: Create the Storage Credential by specifying the IAM Role ARN
  4. Create an External Location: Create the External Location referencing the Storage Credential and pointing to an S3 path
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-xxxx"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<databricks-account-id>"
        }
      }
    }
  ]
}

WIF Setup Flow on Azure

On Azure, you use an Access Connector together with a Managed Identity.

  1. Create a Databricks Access Connector: Create the Access Connector resource via the Azure Portal or Terraform (a System-Assigned Managed Identity is provisioned automatically)
  2. Assign RBAC on the storage account: Assign the "Storage Blob Data Contributor" role to the Access Connector's Managed Identity
  3. Create a Storage Credential in Unity Catalog: Create the Storage Credential by specifying the Access Connector ID
  4. Create an External Location: Specify the ADLS path using the abfss:// scheme
# Terraform例: Access Connector
resource "azurerm_databricks_access_connector" "unity" {
  name                = "unity-catalog-connector"
  resource_group_name = azurerm_resource_group.main.name
  location            = azurerm_resource_group.main.location

  identity {
    type = "SystemAssigned"
  }
}

# ストレージアカウントへのRBAC割り当て
resource "azurerm_role_assignment" "storage_contributor" {
  scope                = azurerm_storage_account.datalake.id
  role_definition_name = "Storage Blob Data Contributor"
  principal_id         = azurerm_databricks_access_connector.unity.identity[0].principal_id
}

WIF Setup Flow on GCP

On GCP, you configure a Workload Identity Pool and Provider to allow token exchange from Databricks.

  1. Create a service account: Create a GCP service account with access permissions on the target GCS bucket
  2. Create a Workload Identity Pool: Configure a Pool that trusts the Databricks OIDC provider
  3. Allow service account impersonation: Allow Pool members to obtain tokens for the service account
  4. Create a Storage Credential in Unity Catalog: Specify the service account's email

Background on Instance Profile Deprecation

Instance Profiles, long used on AWS, are being deprecated for the following reasons.

  • Coarse granularity: Instance Profiles apply the same IAM Role to the entire cluster, so fine-grained controls such as "can access table A but not table B" are not possible.
  • Not integrated with Unity Catalog: Instance Profiles are a cluster-level setting and operate independently of Unity Catalog's data governance (GRANT/REVOKE), which leads to duplicated permission management.
  • Risk on shared clusters: If you set an Instance Profile on a shared cluster, every user can access cloud resources with that IAM Role's permissions.
  • Operational complexity: Configuring and managing Instance Profiles per cluster carries a high operational burden.

With the Unity Catalog Storage Credential + External Location approach, data access permissions are integrated into the Unity Catalog permission model, enabling fine-grained control per user or group.

Integration with Unity Catalog

WIF is closely tied to the following Unity Catalog concepts.

Unity Catalog conceptRelationship with WIF
Storage CredentialAn object that wraps the IAM Role / Managed Identity / service account used to access cloud storage
External LocationAn object that registers a cloud storage path bound to a Storage Credential
GRANT / REVOKEGrant READ_FILES / WRITE_FILES on an External Location per user or group

This setup integrates cloud storage access control into the Unity Catalog permission model and eliminates Instance Profile-style "shared cluster-wide permissions for everyone."

Key Points Tested on the Exam

  • "How do you access S3 without a secret?" → Workload Identity Federation (IAM Role + Trust Policy)
  • "What is the recommended replacement for Instance Profiles?" → Unity Catalog Storage Credential (WIF-based)
  • "What is the recommended Azure setup to access ADLS from Databricks?" → Access Connector + Managed Identity
  • "How do Storage Credential and External Location relate?" → Storage Credential handles cloud authentication; External Location binds it to a path

Check Your Understanding

Security & Governance

問題 1

In an AWS Databricks workspace, a data engineer wants to create an External Table that accesses Parquet files in an S3 bucket. The security team requires "no static access keys or secrets — only keyless authentication." Which configuration is appropriate?

  1. Configure a Databricks Trust Policy on an IAM Role with S3 access permissions, and register it as a Unity Catalog Storage Credential
  2. Store the S3 access keys in a Databricks Secret Scope and retrieve them from the notebook with dbutils.secrets.get
  3. Attach an Instance Profile to the cluster and access S3 with the IAM Role's permissions
  4. Allow public access via the S3 bucket policy and access it over HTTP

正解: A

Registering WIF (IAM Role + Trust Policy) as a Unity Catalog Storage Credential satisfies the keyless requirement of holding no secret. Storing access keys in a Secret Scope violates the "no static keys" rule. Instance Profiles are deprecated and lack fine-grained control. Public access is out of the question — it is not acceptable from a security standpoint.

Frequently Asked Questions

What is the difference between Workload Identity Federation and OAuth M2M?

OAuth M2M uses a Client ID and Client Secret issued by Databricks itself to authenticate against the Databricks token endpoint. Workload Identity Federation (WIF) authenticates to Databricks using short-lived credentials from a cloud provider (AWS IAM Role, Azure Managed Identity, GCP WIF Token), so you do not need to store any secret (Client Secret) on the Databricks side. OAuth M2M authenticates with a Databricks-issued secret, while WIF authenticates with a cloud identity — that is the fundamental difference.

Will Instance Profiles become unusable in the future?

Instance Profiles, used in AWS environments to grant clusters access to cloud resources, will continue to be supported but are being deprecated. Since 2024, Databricks has recommended managing permissions through Unity Catalog Storage Credentials and External Locations instead of Instance Profiles. Storage Credentials use WIF-based IAM Roles and enable finer-grained access control than Instance Profiles. For new setups, avoid Instance Profiles and migrate to access control via Unity Catalog.

How is WIF tested in Databricks certification exams?

It appears in the security domain of the Data Engineer Professional exam. Common question patterns are: how to access cloud resources without holding any secret, the recommended replacement for Instance Profiles, and authentication design for multi-cloud environments. Questions rarely ask about the specific setup steps in each of the three clouds — they test understanding of the WIF concept (keyless authentication) and how it differs from Instance Profiles.

Check what you learned with practice questions

Practice with certification-focused question sets

無料で問題を解いてみる
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Databricks

Databricks Certifications: All 7 Exams, Difficulty & Study Plan (2026)

Complete guide to all 7 Databricks certifications — Data Eng...

Databricks

Databricks Exam Difficulty Ranking: All 7 Certs Compared (2026)

Every Databricks certification ranked by difficulty, with st...

Databricks

Databricks Study Guide: Fastest Pass Route & Time Estimates (2026)

How to pass Databricks certifications efficiently. Official ...

Databricks

Databricks Data Engineer Associate: Complete Guide (2026)

Domain-by-domain breakdown of the Databricks Certified Data ...

Databricks

Databricks Data Engineer Professional: Complete Guide (2026)

Tactics for the Databricks Certified Data Engineer Professio...

Browse all Databricks articles (110)
© 2026 NicheeLab All rights reserved.