CAS connects to Databricks using a service principal with a Personal Access Token (PAT). You will create a service principal, generate a PAT, and configure workspace access.
- In the Databricks Account Console, navigate to User management > Service principals.
- Click Add service principal.
- Enter a display name for the service principal (e.g.,
TD-CAS-Service). - Click Add service principal to create it.
- Note the Application ID assigned to the service principal.
A workspace admin must create the initial PAT on behalf of the service principal using the Databricks CLI:
- Set up authentication for the Databricks CLI if not already configured.
- Get the Application ID of the service principal:
- Click your username in the top bar, then click Settings.
- Under Workspace admin, click Identity and access > Manage (next to Service principals).
- Click the service principal name to open its settings page.
- On the Configurations tab, note the Application Id value.
- Run the following command to generate the access token:
databricks token-management create-obo-token \
<application-id> \
--lifetime-seconds 86400 \
--profile <admin-profile>Service principals cannot create their own initial PAT. A workspace admin must use the create-obo-token command. The databricks tokens create command will fail with a "User does not have permission to use tokens" error.
Once the service principal has its first PAT, it can create additional tokens for itself:
databricks tokens create --lifetime-seconds 86400 --profile <sp-pat-profile>Databricks recommends using OAuth M2M (client_id + client_secret) instead of PATs for service principals, as OAuth tokens auto-refresh and are more secure. However, PAT-based authentication is currently the supported method for the CAS connection.
- In your Databricks workspace, go to Settings > Workspace admin > Identity and access > Service principals.
- Click Add service principal.
- Search for and select the service principal you created.
- Click Add to grant workspace access.
If your Unity Catalog has fine-grained access controls, ensure the service principal has the necessary permissions:
- Navigate to Catalog in the Databricks workspace sidebar.
- Select the target catalog (e.g.,
cas_demo_east1). - Click Permissions > Grant.
- Add the service principal as a principal.
- Select the Data Reader privilege preset, which grants:
- Prerequisite: USE CATALOG, USE SCHEMA
- Metadata: BROWSE
- Read: EXECUTE, SELECT
If your Databricks workspace uses IP access lists, add Treasure Data's export IP addresses to the allow list. Use the Databricks CLI:
databricks ip-access-lists create --json '{
"label": "TreasureData",
"list_type": "ALLOW",
"ip_addresses": [
"<TD_IP_1>",
"<TD_IP_2>"
]
}'For the list of Treasure Data IP addresses to add, see Static IP Addresses for Integrations and Result Workers.