Skip to content

Instantly share code, notes, and snippets.

@clowa

clowa/azure_databricks_personal_access_token.md

Last active October 13, 2023 15:10
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save clowa/9c82d8ab138070537dff117bc4da2baa to your computer and use it in GitHub Desktop.
Save clowa/9c82d8ab138070537dff117bc4da2baa to your computer and use it in GitHub Desktop.
Download ZIP
Azure Databricks: Create a personal access token for a Service Principal via PowerShell
Raw
azure_databricks_personal_access_token.md

Create a personal access token for a Service Principal via PowerShell

Prerequisite

  • An existing Azure Databricks Workspace
  • Administrator Access to your Databricks Workspace
  • An existing Databricks Service Principal with a corresponding Azure AD App Registration. Identified by the matching Client ID and UUID. See here for more information on how to set this up.
  • A client Secret of the App Registration of the Service Principal

Create a Personal Access Token

Configure the parameters according to your environment.

$tenantId = "00000000-0000-0000-0000-000000000000"                            # Change me
$clientId = "00000000-0000-0000-0000-000000000000"                            # Change me
$clientSecret = "yPp8tXXXXXXtaBj"                                             # Change me
$databrickWorkspaceUrl = "https://adb-0000000000000000.0.azuredatabricks.net" # Change me
$databricksTokenLifetime = 120                                                # Change me
$databricksTokenComment = "Just a token to test the pat creation via API"     # Change me

Before you can create a Databricks Personal Access Token you have to check if the Databricks Service Principal is eligible to create a Personal Access Token. Therefore go to your Databricks Workspace and navigate to Admin Settings -> Workspace Settings -> Access control -> Personal Access Tokens check whether this is enabled and check the permissions if your service principal is eligible to use Personal Access Tokens.

Now assume a Azure AD access token for your AAD App Registration aka. AAD Service Principal. This will than be used to create the Databricks Personal Access Token.

$aadToken = Invoke-RestMethod -Uri https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token -Method Post -Headers @{ "Content-Type" = "application/x-www-form-urlencoded" } -Body @{
    client_id=$clientId;
    client_secret=$clientSecret;
    grant_type="client_credentials";
    scope='2ff814a6-3304-4ab8-85cb-cd0e6f879c1d/.default';
}

You can now use your AAD token to create a Databricks Personal Access Token for the Databricks Service Principal.
Remove the lifetime_seconds parameter below to create a token that never expires.

$dbxToken = Invoke-RestMethod -Uri "$databrickWorkspaceUrl/api/2.0/token/create" -Method Post -Headers @{ "Authorization" = "Bearer $($aadToken.access_token)" } -Body (ConvertTo-Json @{
    lifetime_seconds = $databricksTokenLifetime; # Remove this line to never expire the token
    comment = $databricksTokenComment;
})
$expirationDateTime = [System.DateTimeOffset]::FromUnixTimeMilliseconds($dbxToken.token_info.expiry_time).DateTime

Write-Host "Databricks token: $($dbxToken.token_value)"
Write-Host "Expires on: $expirationDateTime"

Done ✅

List all Personal Access Tokens

Invoke-RestMethod -Uri "$databrickWorkspaceUrl/api/2.0/token/list" -Method Get -Headers @{ "Authorization" = "Bearer $($aadToken.access_token)" }

Revoke a Personal Access Token

$tokenId = "0000000000000000000000000000000000000000000000000000000000000000"
Invoke-RestMethod -Uri "$databrickWorkspaceUrl/api/2.0/token/delete" -Method Post -Headers @{ "Authorization" = "Bearer $($aadToken.access_token)" } -Body (ConvertTo-Json @{
    token_id = $tokenId;
})

Resources

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment