Share via

auth command group

Note

This information applies to Databricks CLI versions 0.205 and above. The Databricks CLI is in Public Preview.

Databricks CLI use is subject to the Databricks License and Databricks Privacy Notice, including any Usage Data provisions.

The auth command group within the Databricks CLI contains authentication related commands, including the following:

  • List any available authentication configuration profiles.
  • Get information about an individual authentication configuration profile.
  • Use OAuth user-to-machine (U2M) authentication to authenticate the Databricks CLI with your Azure Databricks accounts and workspaces.
  • Get information about any OAuth access tokens that the Databricks CLI might have cached.
  • Get details about the configuration that the Databricks CLI is using to authenticate.

Tip

To get information about the current Databricks CLI user, run databricks current-user me.

databricks auth describe

Describes the configuration that the Databricks CLI is using to authenticate, including the credentials and the source of those credentials. If no options are specified, the auth describe command follows the Default methods for client unified authentication.

databricks auth describe [flags]

Options

--sensitive

    Include sensitive fields like passwords and tokens in the output

Global flags

Examples

The following example describes the current authentication configuration:

databricks auth describe

Host: https://<workspace-instance-name>
User: <user-name>@<domain>
Authenticated with: <authentication-type>
-----
Current configuration:
  ✓ host: https://<workspace-instance-name> (from <path>/<to>/.databrickscfg config file)
  ✓ profile: default
  ✓ auth_type: <authentication-type> (from <path>/<to>/.databrickscfg config file)

To specify that information about a specific Azure Databricks workspace is used, specify the --host option along with the workspace's URL.

databricks auth describe --host https://<workspace-instance-name>

Host: https://<workspace-instance-name>
User: <user-name>@<domain>
Authenticated with: <authentication-type>
-----
Current configuration:
  ✓ host: https://<workspace-instance-name> (from --host flag)
  ✓ profile: default
  ✓ auth_type: <authentication-type>

To specify that information about a specific Azure Databricks account is used, specify the --host option along with the Azure Databricks account console URL, https://accounts.azuredatabricks.net.

databricks auth describe --host <account-console-url>

Host: <account-console-url>
User: <user-name>@<domain>
AccountId: <account-id>
Authenticated with: <authentication-type>
-----
Current configuration:
  ✓ host: <account-console-url> (from --host flag)
  ✓ account_id: <account-id>
  ✓ profile: default
  ✓ auth_type: <authentication-type>

To specify that information about a specific Azure Databricks configuration profile is used, specify the -p or --profile option along with the profile's name:

databricks auth describe -p TEST

Host: https://<workspace-instance-name>
User: <user-name>@<domain>
Authenticated with: <authentication-type>
-----
Current configuration:
  ✓ host: https://<workspace-instance-name> (from <path>/<to>/.databrickscfg config file)
  ✓ token: ******** (from <path>/<to>/.databrickscfg config file)
  ✓ profile: TEST (from --profile flag)
  ✓ auth_type: <authentication-type>

To include sensitive information in the output (such as Azure Databricks personal access tokens and client secrets), specify the --sensitive option:

databricks auth describe --sensitive

Host: https://<workspace-instance-name>
User: <user-name>@<domain>
Authenticated with: pat
-----
Current configuration:
  ✓ host: https://<workspace-instance-name> (from <path>/<to>/.databrickscfg config file)
  ✓ token: <token-value> (from <path>/<to>/.databrickscfg config file)
  ✓ profile: <profile-name>
  ✓ auth_type: pat

databricks auth env

Get information about an existing configuration profile using the name of the profile or the Azure Databricks account console URL or the Azure Databricks workspace URL.

databricks auth env [flags]

Tip

You can press Tab after --profile or -p to display a list of existing available configuration profiles to choose from, instead of entering the configuration profile name manually.

To create a configuration profile, see the configure command.

Options

--host string

    Hostname to get auth env for

Note

If more than one profile matches the --host value, an error displays, stating that it cannot find a single matching profile. For example, you might have one profile that has only a host value and another profile that has the same host value but also a token value. In this case, the Databricks CLI does not choose a profile and stops. To help the Databricks CLI choose the desired profile, try specifying a different --host value. For --host values that are account console URLs, try specifying an --account-id value instead of a --host value.

--profile string

    Profile to get auth env for

Global flags

Examples

The following example gets the default authentication environment:

databricks auth env

The following example gets the authentication environment for a specific host:

databricks auth env --host https://my-workspace.cloud.databricks.com

The output for a profile that is configured with Azure Databricks access token authentication might be:

{
  "env": {
    "DATABRICKS_AUTH_TYPE": "pat",
    "DATABRICKS_CONFIG_PROFILE": "TEST",
    "DATABRICKS_HOST": "https://my-workspace.cloud.databricks.com",
    "DATABRICKS_TOKEN": "<token-value>"
  }
}

The following example gets the authentication environment for a specific profile:

databricks auth env --profile my-test-environment

databricks auth login

Log in to a Databricks workspace or account and save the authentication configuration in a profile (in ~/.databrickscfg by default). The profile can then be used to authenticate other Databricks CLI commands using the --profile flag. The profile can also be used to authenticate other Databricks tools that support Databricks unified client authentication, including the Databricks Python, Java, adn Go SDKs.

databricks auth login HOST [flags]

This command requires a Databricks host URL (using --host or as a positional argument or implicitly inferred from the specified profile name) and a profile name (using --profile) to be specified. If you don't specify these values, you'll be prompted for values at runtime.

While this command always logs you into the specified host, the behavior depends on the existing profiles you have set in your configuration file (at ~/.databrickscfg by default):

  1. If a profile with the specified name exists and specifies a host, you'll be logged into the host specified by the profile. The profile will be updated to use "databricks-cli" as the auth type if that was not the case before.
  2. If a profile with the specified name exists but does not specify a host, you'll be prompted to specify a host. The profile will be updated to use the specified host. The auth type will be updated to "databricks-cli" if that was not the case before.
  3. If a profile with the specified name exists and specifies a host, but you specify a host using --host (or as the HOST positional arg), the profile will be updated to use the newly specified host. The auth type will be updated to "databricks-cli" if that was not the case before.
  4. If a profile with the specified name does not exist, a new profile will be created with the specified host. The auth type will be set to "databricks-cli".

Arguments

HOST

    Databricks host URL (optional)

Options

--configure-cluster

    Prompts to configure cluster

--timeout duration

    Timeout for completing login challenge in the browser (default 1h0m0s)

Global flags

Examples

The following example logs into a Databricks workspace:

databricks auth login

The following example logs into a specific Databricks workspace:

databricks auth login https://my-workspace.cloud.databricks.com

The following example logs in with a specific profile and configures cluster settings:

databricks auth login --profile my-profile --configure-cluster

The following example sets a custom timeout for the login process:

databricks auth login --timeout 30m

databricks auth profiles

List all available configuration profiles (at ~/.databrickscfg by default) and check whether they are valid profiles.

databricks auth profiles [flags]

This command outputs profiles in the following format:

Name            Host                Valid
DEFAULT         https://<host-url>  YES
<profile-name>  https://<host-url>  NO

To determine whether each profile is valid, the Databricks CLI lists workspaces for each account-level profile and runs a get current user command for each workspace-level profile. If the command succeeds, a YES is displayed; otherwise, a NO displays.

The output of the auth profiles command does not display any access tokens. To display an access token, see databricks auth env.

By default, configuration profiles are stored in the file ~/.databrickscfg on Linux or macOS, or %USERPROFILE%\.databrickscfg on Windows. You can change the default path of this file by setting the environment variable DATABRICKS_CONFIG_FILE.

To create configuration profiles, see the configure command.

Options

--skip-validate

    Whether to skip validating the profiles

Global flags

Examples

The following example lists all authentication profiles:

databricks auth profiles

The following example lists profiles without validating them:

databricks auth profiles --skip-validate

databricks auth token

Get the authentication token from the local cache in ~/.databricks/token-cache.json. Refresh the access token if it is expired. This command only works with U2M authentication (using the databricks auth login command). M2M authentication using a client ID and secret is not supported.

databricks auth token [HOST] [flags]

To configure and set up OAuth U2M authentication, see OAuth user-to-machine (U2M) authentication.

Arguments

HOST

    Databricks Host URL (optional)

Options

--account-id string

    Databricks Account ID

--timeout duration

    Timeout for acquiring a token. (default 1h0m0s)

Global flags

Examples

The following example gets the authentication token:

databricks auth token

The following example gets the authentication token for a specific host:

databricks auth token https://my-workspace.cloud.databricks.com

The output might be:

{
  "access_token": "<token-value>",
  "token_type": "Bearer",
  "expiry": "<token-expiration-date-time>"
}

The following example sets a custom timeout for token acquisition:

databricks auth token --timeout 30m

Global flags

--debug

  Whether to enable debug logging.

-h or --help

    Display help for the Databricks CLI or the related command group or the related command.

--log-file string

    A string representing the file to write output logs to. If this flag is not specified then the default is to write output logs to stderr.

--log-format format

    The log format type, text or json. The default value is text.

--log-level string

    A string representing the log format level. If not specified then the log format level is disabled.

-o, --output type

    The command output type, text or json. The default value is text.

-p, --profile string

    The name of the profile in the ~/.databrickscfg file to use to run the command. If this flag is not specified then if it exists, the profile named DEFAULT is used.

--progress-format format

    The format to display progress logs: default, append, inplace, or json

-t, --target string

    If applicable, the bundle target to use