# Step 2: Set Up Databricks Authentication

CAS connects to Databricks using a **service principal with a Personal Access Token (PAT)**. You will create a service principal, generate a PAT, and configure workspace access.

## Create a Service Principal

1. In the Databricks **Account Console**, navigate to **User management** > **Service principals**.
2. Click **Add service principal**.
3. Enter a display name for the service principal (e.g., `TD-CAS-Service`).
4. Click **Add service principal** to create it.
5. Note the **Application ID** assigned to the service principal.


## Generate a PAT for the Service Principal

A workspace admin must create the initial PAT on behalf of the service principal using the Databricks CLI:

1. Set up authentication for the Databricks CLI if not already configured.
2. Get the **Application ID** of the service principal:
  - Click your username in the top bar, then click **Settings**.
  - Under **Workspace admin**, click **Identity and access** > **Manage** (next to **Service principals**).
  - Click the service principal name to open its settings page.
  - On the **Configurations** tab, note the **Application Id** value.
3. Run the following command to generate the access token:



```shell
databricks token-management create-obo-token \
  <application-id> \
  --lifetime-seconds 86400 \
  --profile <admin-profile>
```

Important
Service principals **cannot** create their own initial PAT. A workspace admin must use the `create-obo-token` command. The `databricks tokens create` command will fail with a "User does not have permission to use tokens" error.

Once the service principal has its first PAT, it can create additional tokens for itself:


```shell
databricks tokens create --lifetime-seconds 86400 --profile <sp-pat-profile>
```

Note
Databricks recommends using OAuth M2M (`client_id` + `client_secret`) instead of PATs for service principals, as OAuth tokens auto-refresh and are more secure. However, PAT-based authentication is currently the supported method for the CAS connection.

## Allow the Service Principal to Access a Workspace

1. In your Databricks workspace, go to **Settings** > **Workspace admin** > **Identity and access** > **Service principals**.
2. Click **Add service principal**.
3. Search for and select the service principal you created.
4. Click **Add** to grant workspace access.


## Configure Schema-Level Access Control (If Necessary)

If your Unity Catalog has fine-grained access controls, ensure the service principal has the necessary permissions:

1. Navigate to **Catalog** in the Databricks workspace sidebar.
2. Select the target catalog (e.g., `cas_demo_east1`).
3. Click **Permissions** > **Grant**.
4. Add the service principal as a principal.
5. Select the **Data Reader** privilege preset, which grants:
  - **Prerequisite**: USE CATALOG, USE SCHEMA
  - **Metadata**: BROWSE
  - **Read**: EXECUTE, SELECT


## Allow Treasure Data Server IPs to Access the CDW

If your Databricks workspace uses IP access lists, add Treasure Data's export IP addresses to the allow list. Use the Databricks CLI:


```shell
databricks ip-access-lists create --json '{
  "label": "TreasureData",
  "list_type": "ALLOW",
  "ip_addresses": [
    "<TD_IP_1>",
    "<TD_IP_2>"
  ]
}'
```

Note
For the list of Treasure Data IP addresses to add, see [Static IP Addresses for Integrations and Result Workers](/apis/endpoints/ip-addresses-integrations-result-workers).