auth command group

Note

This information applies to Databricks CLI versions 0.205 and above. The Databricks CLI is in Public Preview.

Databricks CLI use is subject to the Databricks License and Databricks Privacy Notice, including any Usage Data provisions.

The auth command group within the Databricks CLI enables you to:

  • List any available authentication configuration profiles.

  • Get information about an individual authentication configuration profile.

  • Use OAuth user-to-machine (U2M) authentication to authenticate the Databricks CLI with your Databricks accounts and workspaces.

  • Get information about any OAuth access tokens that the Databricks CLI might have cached.

  • Get details about the configuration that the Databricks CLI is using to authenticate.

You run auth commands by appending them to databricks auth. To display help for the auth command, run databricks auth -h.

List configuration profiles

To get a list of all of your available configuration profiles and to check whether they are valid, run the auth profiles command, as follows:

databricks auth profiles

Output (the ellipses represent omitted content, for brevity):

Name            Host                Valid
DEFAULT         https://<host-url>  YES
<profile-name>  https://<host-url>  NO

To determine whether each profile is valid, the Databricks CLI runs a list workspaces command for each account-level profile and runs a get current user command for each workspace-level profile. If the command succeeds, a YES is displayed; otherwise, a NO displays.

The output of the auth profiles command does not display any access tokens. To display an access token, see Get information about a configuration profile.

Configuration profiles are stored in the file ~/.databrickscfg on Linux or macOS, or %USERPROFILE%\.databrickscfg on Windows by default. You can change the default path of this file by setting the environment variable DATABRICKS_CONFIG_FILE. To learn how to set environment variables, see your operating system’s documentation.

To create configuration profiles, see the configure command group.

Get information about a configuration profile

To get information about an existing configuration profile, run the auth env command, where <profile-name> represents the name of the profile, and <account-or-workspace-url> represents the Databricks account console URL or the Databricks workspace URL, as follows:

databricks auth env --profile <profile-name>

# Or:
databricks auth env --host <account-or-workspace-url>

Tip

You can press Tab after --profile or -p to display a list of existing available configuration profiles to choose from, instead of entering the configuration profile name manually.

For example, here is the output for a profile that is configured with Databricks access token authentication:

{
  "env": {
    "DATABRICKS_AUTH_TYPE": "pat",
    "DATABRICKS_CONFIG_PROFILE": "<profile-name>",
    "DATABRICKS_HOST": "<workspace-url>",
    "DATABRICKS_TOKEN": "<token-value>"
  }
}

Note

If more than one profile matches the --host value, an error displays, stating that it cannot find a single matching profile. For example, you might have one profile that has only a host value and another profile that has the same host value but also a token value. In this case, the Databricks CLI does not choose a profile and stops. To help the Databricks CLI choose the desired profile, try specifying a different --host value. For --host values that are account console URLs, try specifying an --account-id value instead of a --host value.

To create a configuration profile, see the configure command group.

Authenticate with OAuth

Instead of authenticating with Databricks by using access tokens and configuration profiles, you can use OAuth user-to-machine (U2M) authentication. OAuth provides tokens with faster expiration times than Databricks personal access tokens, and offers better server-side session invalidation and scoping. Because OAuth access tokens expire in less than an hour, this reduces the risk associated with accidentally checking tokens into source control. See Authenticate access to Databricks with a user account using OAuth (OAuth U2M).

To configure and set up OAuth U2M authentication, see OAuth user-to-machine (U2M) authentication.

Get OAuth access token details

If you want to see information about the cached OAuth access token that the Databricks CLI previously generated for a Databricks workspace, run the auth token command, where <workspace-url> represents the Databricks workspace’s URL, as follows:

databricks auth token <workspace-url>

Output:

{
  "access_token": "<token-value>",
  "token_type": "Bearer",
  "expiry": "<token-expiration-date-time>"
}

Get authentication details

To get details about the configuration that the Databricks CLI is using to authenticate, run the auth describe command.

If no options are specified, the auth describe command follows the Default methods for client unified authentication.

databricks auth describe

Output:

Host: https://<workspace-instance-name>
User: <user-name>@<domain>
Authenticated with: <authentication-type>
-----
Current configuration:
   host: https://<workspace-instance-name> (from <path>/<to>/.databrickscfg config file)
   profile: default
   auth_type: <authentication-type> (from <path>/<to>/.databrickscfg config file)

To specify that information about a specific Databricks workspace is used, specify the --host option along with the workspace’s URL.

databricks auth describe --host https://<workspace-instance-name>

Output:

Host: https://<workspace-instance-name>
User: <user-name>@<domain>
Authenticated with: <authentication-type>
-----
Current configuration:
   host: https://<workspace-instance-name> (from --host flag)
   profile: default
   auth_type: <authentication-type>

To specify that information about a specific Databricks account is used, specify the --host option along with the Databricks account console URL, https://accounts.gcp.databricks.com.

databricks auth describe --host <account-console-url>

Output:

Host: <account-console-url>
User: <user-name>@<domain>
AccountId: <account-id>
Authenticated with: <authentication-type>
-----
Current configuration:
   host: <account-console-url> (from --host flag)
   account_id: <account-id>
   profile: default
   auth_type: <authentication-type>

To specify that information about a specific Databricks configuration profile is used, specify the -p or --profile option along with the profile’s name.

databricks auth describe -p <profile-name>

Output:

Host: https://<workspace-instance-name>
User: <user-name>@<domain>
Authenticated with: <authentication-type>
-----
Current configuration:
   host: https://<workspace-instance-name> (from <path>/<to>/.databrickscfg config file)
   token: ******** (from <path>/<to>/.databrickscfg config file)
   profile: <profile-name> (from --profile flag)
   auth_type: <authentication-type>

To include sensitive information in the output (such as Databricks personal access tokens and client secrets), specify the --sensitive option.

databricks auth describe --sensitive

Output:

Host: https://<workspace-instance-name>
User: <user-name>@<domain>
Authenticated with: pat
-----
Current configuration:
   host: https://<workspace-instance-name> (from <path>/<to>/.databrickscfg config file)
   token: <token-value> (from <path>/<to>/.databrickscfg config file)
   profile: <profile-name>
   auth_type: pat