{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":["admonition"]},"type":"markdown"},"seo":{"title":"Step 2: Set Up Databricks Authentication","description":"Create a service principal, generate a PAT, and configure workspace access for Composable Audience Studio.","siteUrl":"https://docs.treasuredata.com","lang":"en-US","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"step-2-set-up-databricks-authentication","__idx":0},"children":["Step 2: Set Up Databricks Authentication"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["CAS connects to Databricks using a ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["service principal with a Personal Access Token (PAT)"]},". You will create a service principal, generate a PAT, and configure workspace access."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"create-a-service-principal","__idx":1},"children":["Create a Service Principal"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["In the Databricks ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Account Console"]},", navigate to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["User management"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Service principals"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Add service principal"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Enter a display name for the service principal (e.g., ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["TD-CAS-Service"]},")."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Add service principal"]}," to create it."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Note the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Application ID"]}," assigned to the service principal."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"generate-a-pat-for-the-service-principal","__idx":2},"children":["Generate a PAT for the Service Principal"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["A workspace admin must create the initial PAT on behalf of the service principal using the Databricks CLI:"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Set up authentication for the Databricks CLI if not already configured."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Get the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Application ID"]}," of the service principal:",{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Click your username in the top bar, then click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Settings"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Under ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Workspace admin"]},", click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Identity and access"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Manage"]}," (next to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Service principals"]},")."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Click the service principal name to open its settings page."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["On the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Configurations"]}," tab, note the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Application Id"]}," value."]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Run the following command to generate the access token:"]}]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"shell","header":{"controls":{"copy":{}}},"source":"databricks token-management create-obo-token \\\n  <application-id> \\\n  --lifetime-seconds 86400 \\\n  --profile <admin-profile>\n","lang":"shell"},"children":[]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"warning","name":"Important"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Service principals ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["cannot"]}," create their own initial PAT. A workspace admin must use the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["create-obo-token"]}," command. The ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["databricks tokens create"]}," command will fail with a \"User does not have permission to use tokens\" error."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Once the service principal has its first PAT, it can create additional tokens for itself:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"shell","header":{"controls":{"copy":{}}},"source":"databricks tokens create --lifetime-seconds 86400 --profile <sp-pat-profile>\n","lang":"shell"},"children":[]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"info","name":"Note"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Databricks recommends using OAuth M2M (",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["client_id"]}," + ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["client_secret"]},") instead of PATs for service principals, as OAuth tokens auto-refresh and are more secure. However, PAT-based authentication is currently the supported method for the CAS connection."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"allow-the-service-principal-to-access-a-workspace","__idx":3},"children":["Allow the Service Principal to Access a Workspace"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["In your Databricks workspace, go to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Settings"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Workspace admin"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Identity and access"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Service principals"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Add service principal"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Search for and select the service principal you created."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Add"]}," to grant workspace access."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"configure-schema-level-access-control-if-necessary","__idx":4},"children":["Configure Schema-Level Access Control (If Necessary)"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["If your Unity Catalog has fine-grained access controls, ensure the service principal has the necessary permissions:"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Navigate to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Catalog"]}," in the Databricks workspace sidebar."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Select the target catalog (e.g., ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["cas_demo_east1"]},")."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Permissions"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Grant"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Add the service principal as a principal."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Select the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Data Reader"]}," privilege preset, which grants:",{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Prerequisite"]},": USE CATALOG, USE SCHEMA"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Metadata"]},": BROWSE"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Read"]},": EXECUTE, SELECT"]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"allow-treasure-data-server-ips-to-access-the-cdw","__idx":5},"children":["Allow Treasure Data Server IPs to Access the CDW"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["If your Databricks workspace uses IP access lists, add Treasure Data's export IP addresses to the allow list. Use the Databricks CLI:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"shell","header":{"controls":{"copy":{}}},"source":"databricks ip-access-lists create --json '{\n  \"label\": \"TreasureData\",\n  \"list_type\": \"ALLOW\",\n  \"ip_addresses\": [\n    \"<TD_IP_1>\",\n    \"<TD_IP_2>\"\n  ]\n}'\n","lang":"shell"},"children":[]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"info","name":"Note"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For the list of Treasure Data IP addresses to add, see ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/apis/endpoints/ip-addresses-integrations-result-workers"},"children":["Static IP Addresses for Integrations and Result Workers"]},"."]}]}]},"headings":[{"value":"Step 2: Set Up Databricks Authentication","id":"step-2-set-up-databricks-authentication","depth":1},{"value":"Create a Service Principal","id":"create-a-service-principal","depth":2},{"value":"Generate a PAT for the Service Principal","id":"generate-a-pat-for-the-service-principal","depth":2},{"value":"Allow the Service Principal to Access a Workspace","id":"allow-the-service-principal-to-access-a-workspace","depth":2},{"value":"Configure Schema-Level Access Control (If Necessary)","id":"configure-schema-level-access-control-if-necessary","depth":2},{"value":"Allow Treasure Data Server IPs to Access the CDW","id":"allow-treasure-data-server-ips-to-access-the-cdw","depth":2}],"frontmatter":{"seo":{"title":"Step 2: Set Up Databricks Authentication","description":"Create a service principal, generate a PAT, and configure workspace access for Composable Audience Studio."}},"lastModified":"2026-04-13T00:18:56.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/products/customer-data-platform/composable-cdp/databricks/set-up-databricks-authentication","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}