You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: website/docs/cli/reference/login.md
+59Lines changed: 59 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -45,3 +45,62 @@ spice login
45
45
```shell
46
46
spice login --key <API_KEY>
47
47
```
48
+
49
+
## `spice cloud login`
50
+
51
+
Authenticate with the Spice Cloud Platform. Running `spice cloud login` without a subcommand opens an interactive method chooser when stdin is a TTY. Non-interactive callers must specify a method explicitly.
52
+
53
+
### Methods
54
+
55
+
#### `spice cloud login subscription`
56
+
57
+
Browser-based OAuth login flow. Automatically opens a browser for authentication.
58
+
59
+
```shell
60
+
spice cloud login subscription
61
+
```
62
+
63
+
Use `--device` to print the URL and one-time code without opening a browser (useful for SSH/headless environments):
64
+
65
+
```shell
66
+
spice cloud login subscription --device
67
+
```
68
+
69
+
#### `spice cloud login pat`
70
+
71
+
Authenticate with a personal access token.
72
+
73
+
```shell
74
+
spice cloud login pat --token <TOKEN>
75
+
```
76
+
77
+
The token can also be provided via the `SPICE_CLOUD_PAT` environment variable:
78
+
79
+
```shell
80
+
export SPICE_CLOUD_PAT=<TOKEN>
81
+
spice cloud login pat
82
+
```
83
+
84
+
#### `spice cloud login api`
85
+
86
+
Authenticate using OAuth2 client credentials for CI/automation workflows.
87
+
88
+
```shell
89
+
spice cloud login api --client-id <CLIENT_ID> --client-secret <CLIENT_SECRET>
90
+
```
91
+
92
+
Credentials can also be provided via environment variables:
93
+
94
+
```shell
95
+
export SPICE_CLOUD_CLIENT_ID=<CLIENT_ID>
96
+
export SPICE_CLOUD_CLIENT_SECRET=<CLIENT_SECRET>
97
+
spice cloud login api
98
+
```
99
+
100
+
### Environment Variables
101
+
102
+
| Variable | Used by | Description |
103
+
| --- | --- | --- |
104
+
|`SPICE_CLOUD_PAT`|`login pat`| Personal access token |
105
+
|`SPICE_CLOUD_CLIENT_ID`|`login api`| OAuth2 client ID |
Copy file name to clipboardExpand all lines: website/docs/components/data-accelerators/cayenne/index.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -418,6 +418,7 @@ Cayenne (via Vortex) supports most Arrow data types with the following considera
418
418
- Timestamps (normalized to Microsecond precision)
419
419
- Date32 and Date64
420
420
- Lists and FixedSizeLists
421
+
- Maps
421
422
- Structs
422
423
423
424
### Automatically Converted Types
@@ -433,7 +434,6 @@ The following types require the `unsupported_type_action` parameter:
433
434
434
435
- `Interval`types
435
436
- `Duration`types
436
-
- `Map`types
437
437
- `FixedSizeBinary`
438
438
439
439
**`unsupported_type_action` options:**
@@ -504,7 +504,7 @@ Consider the following limitations when using Spice Cayenne acceleration:
504
504
505
505
- **File Mode Only**: Spice Cayenne only supports `mode: file` and does not support in-memory (`mode: memory`) acceleration.
506
506
- **S3 Express Only**: Standard S3 buckets are not supported for remote storage. Only S3 Express One Zone directory buckets are supported.
507
-
- **Unsupported Data Types**: `Interval`, `Duration`, `Map`, and `FixedSizeBinary` types require `unsupported_type_action` configuration.
507
+
- **Unsupported Data Types**: `Interval`, `Duration`, and `FixedSizeBinary` types require `unsupported_type_action` configuration.
508
508
- **No Traditional Indexes**: Spice Cayenne does not support explicit index creation via the `indexes` configuration. Vortex's segment statistics and fast random access encodings provide equivalent or better performance for most point lookup workloads.
509
509
- **No MVCC**: Multi-version concurrency control is not yet implemented. Snapshots and time-travel queries are planned for future releases.
510
510
- **No File Compaction**: Automatic file compaction to reclaim space from deleted rows is not yet available.
| `file_format` | Specifies the data format. Required if not inferrable from `from`. Options: `parquet`, `csv`. Refer to [File Formats](./#file-formats) for details. |
70
70
| `abfs_account` | Azure storage account name |
71
+
| `abfs_container_name` | Azure container name |
71
72
| `abfs_sas_string` | SAS (Shared Access Signature) Token to use for authorization |
Copy file name to clipboardExpand all lines: website/docs/components/data-connectors/databricks/index.md
+25-2Lines changed: 25 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -74,8 +74,8 @@ Use the [secret replacement syntax](../secret-stores/) to reference a secret, e.
74
74
| `client_timeout` | Optional. Specifies timeout for HTTP operations. In `delta_lake` mode, applies to object store operations. In `sql_warehouse` mode, applies per-HTTP-call (statement submit, status poll, chunk fetch) — not total query duration. Default: `30s`. E.g. `client_timeout: 2m` |
75
75
| `connect_timeout` | Optional. Timeout for establishing TCP/TLS connections. Applies in `sql_warehouse` mode. Default: `10s`. E.g. `connect_timeout: 15s` |
76
76
| `databricks_token` | The Databricks API token to authenticate with the Unity Catalog API. Can't be used with `databricks_client_id` and `databricks_client_secret`. |
77
-
| `databricks_client_id` | The Databricks Service Principal Client ID. Can't be used with `databricks_token`. |
78
-
| `databricks_client_secret` | The Databricks Service Principal Client Secret. Can't be used with `databricks_token`. |
77
+
| `databricks_client_id` | The Databricks OAuth client ID. Used with `databricks_client_secret` for service-principal (M2M) auth, or alone for interactive User-to-Machine (U2M) auth. Can't be used with `databricks_token`. |
78
+
| `databricks_client_secret` | The Databricks Service Principal Client Secret. Required for M2M auth; omit for U2M auth. Can't be used with `databricks_token`. |
79
79
80
80
#### SQL Warehouse tuning
81
81
@@ -126,6 +126,29 @@ datasets:
126
126
databricks_client_secret: ${secrets:DATABRICKS_CLIENT_SECRET} # service principal client secret
127
127
```
128
128
129
+
### User-to-Machine (U2M) OAuth
130
+
131
+
Spice supports the User-to-Machine (U2M) OAuth flow for interactive sign-in against Databricks. To use U2M auth, supply only `databricks_client_id` (without `databricks_token` or `databricks_client_secret`).
132
+
133
+
When U2M auth is configured, the connector defers initialization until first use. On the first query the runtime opens a browser to complete the Databricks OAuth sign-in, then caches and refreshes the resulting token for subsequent requests.
134
+
135
+
To learn more about how to set up U2M OAuth, see the [Databricks U2M OAuth docs](https://docs.databricks.com/aws/en/dev-tools/auth/oauth-u2m).
136
+
137
+
:::note
138
+
U2M auth is supported with `mode: delta_lake` and `mode: sql_warehouse`. It is not supported with `mode: spark_connect` — use a personal access token or service principal credentials when querying through Spark Connect.
databricks_client_id: ${secrets:DATABRICKS_CLIENT_ID} # OAuth app client id
150
+
```
151
+
129
152
## Delta Lake object store parameters
130
153
131
154
Configure the connection to the object store when using `mode: delta_lake`. Use the [secret replacement syntax](../secret-stores/) to reference a secret, e.g. `${secrets:aws_access_key_id}`.
Copy file name to clipboardExpand all lines: website/docs/components/data-connectors/iceberg.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -114,7 +114,7 @@ SELECT COUNT(*) FROM transactions;
114
114
| `iceberg_s3_role_arn` | ARN of the IAM role to assume when accessing the S3-compatible endpoint. |
115
115
| `iceberg_s3_role_session_name` | Session name to use when assuming the IAM role. |
116
116
| `iceberg_s3_iam_role_source` | Optional. IAM role credential source. `auto` (default) uses the default AWS credential chain, `metadata` uses only instance/container metadata (IMDS, ECS, EKS/IRSA), `env` uses only environment variables. |
117
-
| `iceberg_s3_connect_timeout` | Connection timeout in seconds for the S3-compatible endpoint. Default: `60`|
117
+
| `iceberg_s3_connect_timeout` | Connection timeout in seconds for the S3-compatible endpoint. Default: `60`. **Note:** This parameter is currently accepted but has no effect — it is not consumed by any code path. |
118
118
| `iceberg_sigv4_enabled` | Enable SigV4 (AWS Signature Version 4) authentication when connecting to the catalog. Automatically enabled if the URL in `from` is an AWS Glue catalog. Default: `false`|
119
119
| `iceberg_signing_region` | Region to use for SigV4 authentication. Extracted from the URL in `from` if not specified. |
120
120
| `iceberg_signing_name` | Service name to use for SigV4 authentication. Default: `glue`. |
@@ -264,7 +264,7 @@ INSERT INTO my_table
264
264
SELECT * FROM source_table;
265
265
```
266
266
267
-
Inserting into partitioned Iceberg tables is supported. `UPDATE` and `DELETE` operations are not currently supported.
267
+
Inserting into partitioned Iceberg tables is supported. `DELETE FROM` is supported via equality delete files. `UPDATE` operations are not currently supported.
268
268
269
269
Write operations require `s3:PutObject` permission on the target S3 bucket in addition to the read permissions listed above. For more details, see [Data Ingestion](../../features/data-ingestion).
0 commit comments