Skip to content

Commit 9f261b6

Browse files
claudespiceclaudespice
authored
docs: Document Databricks U2M (User-to-Machine) OAuth authentication (#1680)
1 parent d3ca431 commit 9f261b6

1 file changed

Lines changed: 25 additions & 2 deletions

File tree

  • website/docs/components/data-connectors/databricks

website/docs/components/data-connectors/databricks/index.md

Lines changed: 25 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -74,8 +74,8 @@ Use the [secret replacement syntax](../secret-stores/) to reference a secret, e.
7474
| `client_timeout` | Optional. Specifies timeout for HTTP operations. In `delta_lake` mode, applies to object store operations. In `sql_warehouse` mode, applies per-HTTP-call (statement submit, status poll, chunk fetch) — not total query duration. Default: `30s`. E.g. `client_timeout: 2m` |
7575
| `connect_timeout` | Optional. Timeout for establishing TCP/TLS connections. Applies in `sql_warehouse` mode. Default: `10s`. E.g. `connect_timeout: 15s` |
7676
| `databricks_token` | The Databricks API token to authenticate with the Unity Catalog API. Can't be used with `databricks_client_id` and `databricks_client_secret`. |
77-
| `databricks_client_id` | The Databricks Service Principal Client ID. Can't be used with `databricks_token`. |
78-
| `databricks_client_secret` | The Databricks Service Principal Client Secret. Can't be used with `databricks_token`. |
77+
| `databricks_client_id` | The Databricks OAuth client ID. Used with `databricks_client_secret` for service-principal (M2M) auth, or alone for interactive User-to-Machine (U2M) auth. Can't be used with `databricks_token`. |
78+
| `databricks_client_secret` | The Databricks Service Principal Client Secret. Required for M2M auth; omit for U2M auth. Can't be used with `databricks_token`. |
7979

8080
#### SQL Warehouse tuning
8181

@@ -126,6 +126,29 @@ datasets:
126126
databricks_client_secret: ${secrets:DATABRICKS_CLIENT_SECRET} # service principal client secret
127127
```
128128

129+
### User-to-Machine (U2M) OAuth
130+
131+
Spice supports the User-to-Machine (U2M) OAuth flow for interactive sign-in against Databricks. To use U2M auth, supply only `databricks_client_id` (without `databricks_token` or `databricks_client_secret`).
132+
133+
When U2M auth is configured, the connector defers initialization until first use. On the first query the runtime opens a browser to complete the Databricks OAuth sign-in, then caches and refreshes the resulting token for subsequent requests.
134+
135+
To learn more about how to set up U2M OAuth, see the [Databricks U2M OAuth docs](https://docs.databricks.com/aws/en/dev-tools/auth/oauth-u2m).
136+
137+
:::note
138+
U2M auth is supported with `mode: delta_lake` and `mode: sql_warehouse`. It is not supported with `mode: spark_connect` — use a personal access token or service principal credentials when querying through Spark Connect.
139+
:::
140+
141+
```yaml
142+
datasets:
143+
- from: databricks:spiceai.datasets.my_awesome_table
144+
name: my_awesome_table
145+
params:
146+
mode: sql_warehouse
147+
databricks_endpoint: dbc-a1b2345c-d6e7.cloud.databricks.com
148+
databricks_sql_warehouse_id: 2b4e24cff378fb24
149+
databricks_client_id: ${secrets:DATABRICKS_CLIENT_ID} # OAuth app client id
150+
```
151+
129152
## Delta Lake object store parameters
130153

131154
Configure the connection to the object store when using `mode: delta_lake`. Use the [secret replacement syntax](../secret-stores/) to reference a secret, e.g. `${secrets:aws_access_key_id}`.

0 commit comments

Comments
 (0)