auth
command group
Note
This information applies to Databricks CLI versions 0.205 and above. The Databricks CLI is in Public Preview.
Databricks CLI use is subject to the Databricks License and Databricks Privacy Notice, including any Usage Data provisions.
The auth
command group within the Databricks CLI enables you to:
- List any available authentication configuration profiles.
- Get information about an individual authentication configuration profile.
- Use OAuth user-to-machine (U2M) authentication to authenticate the Databricks CLI with your Azure Databricks accounts and workspaces.
- Get information about any OAuth access tokens that the Databricks CLI might have cached.
- Get details about the configuration that the Databricks CLI is using to authenticate.
You run auth
commands by appending them to databricks auth
. To display help for the auth
command, run databricks auth -h
.
List configuration profiles
To get a list of all of your available configuration profiles and to check whether they are valid, run the auth profiles
command, as follows:
databricks auth profiles
Output (the ellipses represent omitted content, for brevity):
Name Host Valid
DEFAULT https://<host-url> YES
<profile-name> https://<host-url> NO
To determine whether each profile is valid, the Databricks CLI runs a list workspaces command for each account-level profile and runs a get current user command for each workspace-level profile. If the command succeeds, a YES
is displayed; otherwise, a NO
displays.
The output of the auth profiles
command does not display any access tokens. To display an access token, see Get information about a configuration profile.
Configuration profiles are stored in the file ~/.databrickscfg
on Linux or macOS, or %USERPROFILE%\.databrickscfg
on Windows by default. You can change the default path of this file by setting the environment variable DATABRICKS_CONFIG_FILE
. To learn how to set environment variables, see your operating system’s documentation.
To create configuration profiles, see the configure command group.
Get information about a configuration profile
To get information about an existing configuration profile, run the auth env
command, where <profile-name>
represents the name of the profile, and <account-or-workspace-url>
represents the Azure Databricks account console URL or the Azure Databricks workspace URL, as follows:
databricks auth env --profile <profile-name>
# Or:
databricks auth env --host <account-or-workspace-url>
Tip
You can press Tab
after --profile
or -p
to display a list of existing available configuration profiles to choose from, instead of entering the configuration profile name manually.
For example, here is the output for a profile that is configured with Azure Databricks access token authentication:
{
"env": {
"DATABRICKS_AUTH_TYPE": "pat",
"DATABRICKS_CONFIG_PROFILE": "<profile-name>",
"DATABRICKS_HOST": "<workspace-url>",
"DATABRICKS_TOKEN": "<token-value>"
}
}
Note
If more than one profile matches the --host
value, an error displays, stating that it cannot find a single matching profile. For example, you might have one profile that has only a host value and another profile that has the same host value but also a token value. In this case, the Databricks CLI does not choose a profile and stops. To help the Databricks CLI choose the desired profile, try specifying a different --host
value. For --host
values that are account console URLs, try specifying an --account-id
value instead of a --host
value.
To create a configuration profile, see the configure command group.
Authenticate with OAuth
Instead of authenticating with Azure Databricks by using access tokens and configuration profiles, you can use OAuth user-to-machine (U2M) authentication. OAuth provides tokens with faster expiration times than Azure Databricks personal access tokens, and offers better server-side session invalidation and scoping. Because OAuth access tokens expire in less than an hour, this reduces the risk associated with accidentally checking tokens into source control. See Authenticate access to Azure Databricks with a user account using OAuth (OAuth U2M).
To configure and set up OAuth U2M authentication, see OAuth user-to-machine (U2M) authentication.
Get OAuth access token details
If you want to see information about the cached OAuth access token that the Databricks CLI previously generated for an Azure Databricks workspace, run the auth token
command, where <workspace-url>
represents the Azure Databricks workspace’s URL, as follows:
databricks auth token <workspace-url>
Output:
{
"access_token": "<token-value>",
"token_type": "Bearer",
"expiry": "<token-expiration-date-time>"
}
Get authentication details
To get details about the configuration that the Databricks CLI is using to authenticate, run the auth describe
command.
If no options are specified, the auth describe
command follows the Default methods for client unified authentication.
databricks auth describe
Output:
Host: https://<workspace-instance-name>
User: <user-name>@<domain>
Authenticated with: <authentication-type>
-----
Current configuration:
✓ host: https://<workspace-instance-name> (from <path>/<to>/.databrickscfg config file)
✓ profile: default
✓ auth_type: <authentication-type> (from <path>/<to>/.databrickscfg config file)
To specify that information about a specific Azure Databricks workspace is used, specify the --host
option along with the workspace’s URL.
databricks auth describe --host https://<workspace-instance-name>
Output:
Host: https://<workspace-instance-name>
User: <user-name>@<domain>
Authenticated with: <authentication-type>
-----
Current configuration:
✓ host: https://<workspace-instance-name> (from --host flag)
✓ profile: default
✓ auth_type: <authentication-type>
To specify that information about a specific Azure Databricks account is used, specify the --host
option along with the Azure Databricks account console URL, https://accounts.azuredatabricks.net.
databricks auth describe --host <account-console-url>
Output:
Host: <account-console-url>
User: <user-name>@<domain>
AccountId: <account-id>
Authenticated with: <authentication-type>
-----
Current configuration:
✓ host: <account-console-url> (from --host flag)
✓ account_id: <account-id>
✓ profile: default
✓ auth_type: <authentication-type>
To specify that information about a specific Azure Databricks configuration profile is used, specify the -p
or --profile
option along with the profile’s name.
databricks auth describe -p <profile-name>
Output:
Host: https://<workspace-instance-name>
User: <user-name>@<domain>
Authenticated with: <authentication-type>
-----
Current configuration:
✓ host: https://<workspace-instance-name> (from <path>/<to>/.databrickscfg config file)
✓ token: ******** (from <path>/<to>/.databrickscfg config file)
✓ profile: <profile-name> (from --profile flag)
✓ auth_type: <authentication-type>
To include sensitive information in the output (such as Azure Databricks personal access tokens and client secrets), specify the --sensitive
option.
databricks auth describe --sensitive
Output:
Host: https://<workspace-instance-name>
User: <user-name>@<domain>
Authenticated with: pat
-----
Current configuration:
✓ host: https://<workspace-instance-name> (from <path>/<to>/.databrickscfg config file)
✓ token: <token-value> (from <path>/<to>/.databrickscfg config file)
✓ profile: <profile-name>
✓ auth_type: pat