When a Databricks cluster needs to access an S3 bucket or ADLS Gen2 storage in a cloud environment, the traditional approach was to "hold a secret" — for example, an access key or an Instance Profile. Workload Identity Federation (WIF) uses the cloud provider's identity mechanisms to authenticate without holding any secret (keyless).
This article walks through the WIF concept, a comparison of how it is implemented on AWS, Azure, and GCP, the background of Instance Profile deprecation, and how WIF integrates with Unity Catalog.
Traditional cloud access methods each carry their own security risks.
| Traditional method | How it works | Risk |
|---|---|---|
| Access keys (AWS) / Service account keys (GCP) | Store long-lived static keys in environment variables or secrets | If leaked, access lasts indefinitely; rotation overhead is also high |
| Instance Profile (AWS) | Assign an IAM Role to an EC2 instance | The same permissions apply to the entire cluster; fine-grained control is hard |
| Storage account keys (Azure) | Use a shared key for the storage account | If the key leaks, all data in the account becomes accessible |
WIF structurally eliminates these risks by removing static secrets and authenticating with short-lived, identity-based credentials from the cloud provider.
| Aspect | AWS | Azure | GCP |
|---|---|---|---|
| WIF mechanism | IAM Role + Trust Policy (OIDC Federation) | Managed Identity / Federated Credential | Workload Identity Federation (OIDC/SAML) |
| Where it is applied in Databricks | Unity Catalog Storage Credential | Unity Catalog Storage Credential / Access Connector | Unity Catalog Storage Credential |
| Secret management | Not required (STS temporary tokens fetched automatically) | Not required (Azure AD tokens fetched automatically) | Not required (GCP tokens fetched automatically) |
| Traditional method (deprecated) | Instance Profile | Storage account keys | Service account keys |
| Granularity | Specify an IAM Role per Storage Credential | Specify a Managed Identity per Access Connector | Specify a service account per Storage Credential |
On AWS, you configure a Trust Policy on an IAM Role so it trusts the Databricks OIDC provider.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-xxxx"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<databricks-account-id>"
}
}
}
]
}On Azure, you use an Access Connector together with a Managed Identity.
abfss:// scheme# Terraform例: Access Connector
resource "azurerm_databricks_access_connector" "unity" {
name = "unity-catalog-connector"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
identity {
type = "SystemAssigned"
}
}
# ストレージアカウントへのRBAC割り当て
resource "azurerm_role_assignment" "storage_contributor" {
scope = azurerm_storage_account.datalake.id
role_definition_name = "Storage Blob Data Contributor"
principal_id = azurerm_databricks_access_connector.unity.identity[0].principal_id
}On GCP, you configure a Workload Identity Pool and Provider to allow token exchange from Databricks.
Instance Profiles, long used on AWS, are being deprecated for the following reasons.
With the Unity Catalog Storage Credential + External Location approach, data access permissions are integrated into the Unity Catalog permission model, enabling fine-grained control per user or group.
WIF is closely tied to the following Unity Catalog concepts.
| Unity Catalog concept | Relationship with WIF |
|---|---|
| Storage Credential | An object that wraps the IAM Role / Managed Identity / service account used to access cloud storage |
| External Location | An object that registers a cloud storage path bound to a Storage Credential |
| GRANT / REVOKE | Grant READ_FILES / WRITE_FILES on an External Location per user or group |
This setup integrates cloud storage access control into the Unity Catalog permission model and eliminates Instance Profile-style "shared cluster-wide permissions for everyone."
Security & Governance
問題 1
In an AWS Databricks workspace, a data engineer wants to create an External Table that accesses Parquet files in an S3 bucket. The security team requires "no static access keys or secrets — only keyless authentication." Which configuration is appropriate?
正解: A
Registering WIF (IAM Role + Trust Policy) as a Unity Catalog Storage Credential satisfies the keyless requirement of holding no secret. Storing access keys in a Secret Scope violates the "no static keys" rule. Instance Profiles are deprecated and lack fine-grained control. Public access is out of the question — it is not acceptable from a security standpoint.
What is the difference between Workload Identity Federation and OAuth M2M?
OAuth M2M uses a Client ID and Client Secret issued by Databricks itself to authenticate against the Databricks token endpoint. Workload Identity Federation (WIF) authenticates to Databricks using short-lived credentials from a cloud provider (AWS IAM Role, Azure Managed Identity, GCP WIF Token), so you do not need to store any secret (Client Secret) on the Databricks side. OAuth M2M authenticates with a Databricks-issued secret, while WIF authenticates with a cloud identity — that is the fundamental difference.
Will Instance Profiles become unusable in the future?
Instance Profiles, used in AWS environments to grant clusters access to cloud resources, will continue to be supported but are being deprecated. Since 2024, Databricks has recommended managing permissions through Unity Catalog Storage Credentials and External Locations instead of Instance Profiles. Storage Credentials use WIF-based IAM Roles and enable finer-grained access control than Instance Profiles. For new setups, avoid Instance Profiles and migrate to access control via Unity Catalog.
How is WIF tested in Databricks certification exams?
It appears in the security domain of the Data Engineer Professional exam. Common question patterns are: how to access cloud resources without holding any secret, the recommended replacement for Instance Profiles, and authentication design for multi-cloud environments. Questions rarely ask about the specific setup steps in each of the three clouds — they test understanding of the WIF concept (keyless authentication) and how it differs from Instance Profiles.
Practice with certification-focused question sets
無料で問題を解いてみるNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
Databricks Certifications: All 7 Exams, Difficulty & Study Plan (2026)
Complete guide to all 7 Databricks certifications — Data Eng...
Databricks Exam Difficulty Ranking: All 7 Certs Compared (2026)
Every Databricks certification ranked by difficulty, with st...
Databricks Study Guide: Fastest Pass Route & Time Estimates (2026)
How to pass Databricks certifications efficiently. Official ...
Databricks Data Engineer Associate: Complete Guide (2026)
Domain-by-domain breakdown of the Databricks Certified Data ...
Databricks Data Engineer Professional: Complete Guide (2026)
Tactics for the Databricks Certified Data Engineer Professio...