Databricks client unified authentication

Databricks client unified authentication centralizes setting up and automating authentication to Databricks. It enables you to configure Databricks authentication once and then use that configuration across multiple Databricks tools and SDKs without further authentication configuration changes.

Participating tools and SDKs

Participating Databricks tools and SDKs include:

• The Databricks CLI

• The Databricks Terraform provider

• Databricks Connect

• The Databricks extension for Visual Studio Code

• The Databricks SDK for Python

• The Databricks SDK for Java

• The Databricks SDK for Go

All participating tools and SDKs accept special environment variables and Databricks configuration profiles for authentication. The Databricks Terraform provider and the Databricks SDKs for Python, Java, and Go also accept direct configuration of authentication settings within code. For details, see Developer tools for the tool’s or SDK’s documentation.

Default methods for client unified authentication

Whenever a tool or SDK must authenticate to Databricks, it tries the following types of authentication in the following order by default. When the tool or SDK succeeds with the type of authentication it tries, it stops trying to authenticate with the remaining authentication types. To force an SDK to authenticate with a specific authentication type, set the Config API’s Databricks authentication type field.

1. Databricks personal access token authentication

2. Authenticate access to Databricks with a service principal using OAuth (OAuth M2M)

3. Authenticate access to Databricks with a user account using OAuth (OAuth U2M)

4. Google Cloud credentials authentication

5. Google Cloud ID authentication

For each authentication type that the participating tool or SDK tries, the tool or SDK tries to find authentication credentials in the following locations, in the following order. When the tool or SDK succeeds in finding authentication credentials that can be used, the tool or SDK stops trying to find authentication credentials in the remaining locations.

1. Credential-related Config API fields (for SDKs). To set Config fields, see the SDK’s reference documentation.

2. Credential-related environment variables.

3. Credential-related fields in the DEFAULT configuration profile within the .databrickscfg file. To set configuration profile fields, see (/dev-tools/auth/config-profiles.md).

4. Any related authentication credentials that are cached by the Google Cloud CLI. See Google Cloud ID authentication.

To provide maximum portability for your code, Databricks recommends that you create a custom configuration profile within the .databrickscfg file, add the belowrequired fields below for your target Databricks authentication type to the custom configuration profile, and then set the DATABRICKS_CONFIG_PROFILE environment variable to the name of the custom configuration profile.

Environment variables and fields for client unified authentication

The following tables list the names and descriptions of the supported environment variables and fields for Databricks client unified authentication. In the following tables:

• Environment variable, where applicable, is the name of the environment variable.

• .databrickscfg field, where applicable, is the name of the field within a Databricks configuration profiles file or Databricks Terraform configuration. To set .databrickscfg fields, see Databricks configuration profiles.

• Terraform field, where applicable, is the name of the field within a Databricks Terraform configuration. To set Databricks Terraform fields, see Authentication in the Databricks Terraform provider documentation.

• Config field is the name of the field within the Config API for the specified SDK.

General host, token, and account ID environment variables and fields

Common name	Description	Environment variable	.databrickscfg field, Terraform field	Config field
Databricks host	(String) The Databricks host URL for either the Databricks workspace endpoint or the Databricks accounts endpoint.	DATABRICKS_HOST	host	host (Python), setHost (Java), Host (Go)
Databricks token	(String) The Databricks personal access token.	DATABRICKS_TOKEN	token	token (Python), setToken (Java), Token (Go)
Databricks account ID	(String) The Databricks account ID for the Databricks account endpoint. Only has effect when the Databricks host is also set to https://accounts.gcp.databricks.com.	DATABRICKS_ACCOUNT_ID	account_id	account_id (Python), setAccountID (Java), AccountID (Go)

Google Cloud-specific environment variables and fields

Common name	Description	Environment variable	.databrickscfg field, Terraform field	Config field
Client ID	(String) The Databricks service principal’s client ID.	DATABRICKS_CLIENT_ID	client_id	client_id (Python), setClientId (Java), ClientId (Go)
Client secret	(String) The Databricks service principal’s client secret.	DATABRICKS_CLIENT_SECRET	client_secret	client_secret (Python), setClientSecret (Java), ClientSecret (Go)
Google Cloud service account	(String) The Google Cloud service account’s e-mail address.	DATABRICKS_GOOGLE_SERVICE_ACCOUNT	google_service_acccount	GoogleServiceAccount (Go)
Google Cloud credentials	(String) The local path to the Google Cloud service account key file, or the contents of the service account key file in JSON format.	GOOGLE_CREDENTIALS	google_credentials	GoogleCredentials (Go)

.databrickscfg-specific environment variables and fields

Use these environment variables or fields to specify non-default settings for .databrickscfg. See also Databricks configuration profiles.

Common name	Description	Environment variable	Terraform field	Config field
.databrickscfg file path	(String) A non-default path to the .databrickscfg file.	DATABRICKS_CONFIG_FILE	config_file	config_file (Python), setConfigFile (Java), ConfigFile (Go)
.databrickscfg default profile	(String) The default named profile to use, other than DEFAULT.	DATABRICKS_CONFIG_PROFILE	profile	profile (Python), setProfile (Java), Profile (Go)

Authentication type field

Use this environment variable or field to force an SDK to use a specific type of Databricks authentication.

Common name	Description	Terraform field	Config field
Databricks authentication type	(String) When multiple authentication attributes are available in the environment, use the authentication type specified by this argument.	auth_type	auth_type (Python), setAuthType (Java), AuthType (Go)

Supported Databricks authentication type field values include:

• oauth-m2m: Set this value if you are using a Databricks service principal for M2M authentication with OAuth 2.0. For more details, see Authenticate access to Databricks with a service principal using OAuth (OAuth M2M).

• pat: Set this value if you are using Databricks personal access tokens. For more details, see Databricks personal access token authentication.

• databricks-cli: Set this value if you are using the Databricks CLI with OAuth 2.0. For more details, see Authenticate access to Databricks with a user account using OAuth (OAuth U2M).

• google-id: Set this value if you are authenticating access using a Google ID. For more details, see Google Cloud ID authentication.