Azure Databricks activities now support Managed Identity authentication

Published Nov 23 2020 03:27 AM 19.5K Views
Microsoft

Azure Databricks supports Azure Active Directory (AAD) tokens (GA) to authenticate to REST API 2.0. The AAD tokens support enables us to provide a more secure authentication mechanism leveraging Azure Data Factory's System-assigned Managed Identity while integrating with Azure Databricks.

 

Benefits of using Managed identity authentication:

  • Managed identities eliminate the need for data engineers having to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens. In our case, Data Factory obtains the tokens using it's Managed Identity and accesses the Databricks REST APIs.  
  • It lets you provide fine-grained access control to particular Data Factory instances using Azure AD. 
  • It helps prevent usage of Databricks Personal Access Tokens, which acts as a password and needs to be treated with care, adding additional responsibility on data engineers on securing it.

Earlier, you could access the Databricks Personal Access Token through Key-Vault using Manage Identity. Now, you can directly use Managed Identity in Databricks Linked Service, hence completely removing the usage of Personal Access Tokens. 

 

High-level steps on getting started:

  1. Grant the Data Factory instance 'Contributor' permissions in Azure Databricks Access Control.
    databricks-grant-access-to-adf-msi-1.jpg databricks-grant-access-to-adf-msi-2.jpg
  2. Create a new 'Azure Databricks' linked service in Data Factory UI, select the databricks workspace (in step 1) and select 'Managed service identity' under authentication type.
    databricks-grant-access-to-adf-msi-3.jpg

 

Note: Please toggle between the cluster types if you do not see any dropdowns being populated under 'workspace id', even after you have successfully granted the permissions (Step 1). 

 

Sample Linked Service payload:

 

{
    "name": "AzureDatabricks_ls",
    "type": "Microsoft.DataFactory/factories/linkedservices",
    "properties": {
        "annotations": [],
        "type": "AzureDatabricks",
        "typeProperties": {
            "domain": "https://adb-***.*.azuredatabricks.net",
            "authentication": "MSI",
            "workspaceResourceId": "/subscriptions/******-3ab0-48f2-b171-0f50ec******/resourceGroups/work-rg/providers/Microsoft.Databricks/workspaces/databricks-****",
            "existingClusterId": "****-030259-dent495"
        }
    }
}

 

Note: There are no secrets or personal access tokens in the linked service definitions!

3 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-1922818%22%20slang%3D%22en-US%22%3EAzure%20Databricks%20activities%20now%20support%20Managed%20Identity%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1922818%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EAzure%20Databricks%20supports%26nbsp%3B%3C%2FSPAN%3E%3CA%20class%3D%22editor-rtfLink%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fdatabricks%2Frelease-notes%2Fproduct%2F2020%2Fjuly%23azure-active-directory-tokens-to-authorize-to-the-databricks-rest-api-ga%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EAzure%20Active%20Directory%20(AAD)%20tokens%20(GA)%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%26nbsp%3Bto%20authenticate%20to%26nbsp%3B%3C%2FSPAN%3E%3CA%20class%3D%22editor-rtfLink%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fdatabricks%2Fdev-tools%2Fapi%2Flatest%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EREST%20API%202.0%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E.%20The%20AAD%20tokens%20support%20enables%20us%20to%20provide%20a%20more%20secure%20authentication%20mechanism%20leveraging%20Azure%20Data%20Factory's%20System-assigned%26nbsp%3B%3C%2FSPAN%3E%3CA%20class%3D%22editor-rtfLink%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fdata-factory%2Fdata-factory-service-identity%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EManaged%20Identity%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%26nbsp%3Bwhile%20integrating%20with%20Azure%20Databricks.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EBenefits%20of%20using%20Managed%20identity%20authentication%3A%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EManaged%20identities%20eliminate%20the%20need%20for%20data%20engineers%20having%20to%20manage%20credentials%20by%20providing%20an%20identity%20for%20the%20Azure%20resource%20in%20Azure%20AD%20and%20using%20it%20to%20obtain%20Azure%20Active%20Directory%20(Azure%20AD)%20tokens.%20In%20our%20case%2C%20Data%20Factory%20obtains%20the%20tokens%20using%20it's%20Managed%20Identity%20and%20accesses%20the%20Databricks%20REST%20APIs.%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EIt%20lets%20you%20provide%20fine-grained%20access%20control%20to%20particular%20Data%20Factory%20instances%20using%20Azure%20AD.%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EIt%20helps%20prevent%20usage%20of%20Databricks%26nbsp%3B%3C%2FSPAN%3E%3CA%20class%3D%22editor-rtfLink%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fdatabricks%2Fdev-tools%2Fapi%2Flatest%2Fauthentication%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EPersonal%20Access%20Tokens%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%2C%20which%20acts%20as%20a%20password%20and%20needs%20to%20be%20treated%20with%20care%2C%20adding%20additional%20responsibility%20on%20data%20engineers%20on%20securing%20it.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EEarlier%2C%20you%20could%20access%20the%20Databricks%20Personal%20Access%20Token%20through%20Key-Vault%20using%20Manage%20Identity.%20Now%2C%20you%20can%20directly%20use%20Managed%20Identity%20in%20Databricks%20Linked%20Service%2C%20hence%20completely%20removing%20the%20usage%20of%20Personal%20Access%20Tokens.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EHigh-level%20steps%20on%20getting%20started%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EGrant%20the%20Data%20Factory%20instance%20'Contributor'%20permissions%20in%20Azure%20Databricks%20Access%20Control.%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22databricks-grant-access-to-adf-msi-1.jpg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F235536i39E1161A0716E40C%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22databricks-grant-access-to-adf-msi-1.jpg%22%20alt%3D%22databricks-grant-access-to-adf-msi-1.jpg%22%20%2F%3E%3C%2FSPAN%3E%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22databricks-grant-access-to-adf-msi-2.jpg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F235537i4C41481747CB2C31%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22databricks-grant-access-to-adf-msi-2.jpg%22%20alt%3D%22databricks-grant-access-to-adf-msi-2.jpg%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3ECreate%20a%20new%20'Azure%20Databricks'%20linked%20service%20in%20Data%20Factory%20UI%2C%20select%20the%20databricks%20workspace%20(in%20step%201)%20and%20select%20'Managed%20service%20identity'%20under%20authentication%20type.%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20image-alt%3D%22databricks-grant-access-to-adf-msi-3.jpg%22%20style%3D%22width%3A%20348px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F235538i87D24B5952AE09BC%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22databricks-grant-access-to-adf-msi-3.jpg%22%20alt%3D%22databricks-grant-access-to-adf-msi-3.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3ENote%3A%20Please%20toggle%20between%20the%20cluster%20types%20if%20you%20do%20not%20see%20any%20dropdowns%20being%20populated%20under%20'workspace%20id'%2C%20even%20after%20you%20have%20successfully%20granted%20the%20permissions%20(Step%201).%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESample%20Linked%20Service%20payload%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-json%22%3E%3CCODE%3E%7B%0A%20%20%20%20%22name%22%3A%20%22AzureDatabricks_ls%22%2C%0A%20%20%20%20%22type%22%3A%20%22Microsoft.DataFactory%2Ffactories%2Flinkedservices%22%2C%0A%20%20%20%20%22properties%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%22annotations%22%3A%20%5B%5D%2C%0A%20%20%20%20%20%20%20%20%22type%22%3A%20%22AzureDatabricks%22%2C%0A%20%20%20%20%20%20%20%20%22typeProperties%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%22domain%22%3A%20%22https%3A%2F%2Fadb-***.*.azuredatabricks.net%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%22authentication%22%3A%20%22MSI%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%22workspaceResourceId%22%3A%20%22%2Fsubscriptions%2F******-3ab0-48f2-b171-0f50ec******%2FresourceGroups%2Fwork-rg%2Fproviders%2FMicrosoft.Databricks%2Fworkspaces%2Fdatabricks-****%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%22existingClusterId%22%3A%20%22****-030259-dent495%22%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%0A%7D%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3ENote%3A%20There%20are%20no%20secrets%20or%20personal%20access%20tokens%20in%20the%20linked%20service%20definitions!%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1922818%22%20slang%3D%22en-US%22%3E%3CP%3EManaged%20identity%20authentication%20in%20databricks%20linked%20service%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22databricks-grant-access-to-adf-msi-3.jpg%22%20style%3D%22width%3A%20200px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F235547iC04E8F60F6892F67%2Fimage-size%2Fsmall%3Fv%3D1.0%26amp%3Bpx%3D200%22%20role%3D%22button%22%20title%3D%22databricks-grant-access-to-adf-msi-3.jpg%22%20alt%3D%22databricks-grant-access-to-adf-msi-3.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1922818%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Data%20Factory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Databricks%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EBig%20Data%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2031163%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Databricks%20activities%20now%20support%20Managed%20Identity%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2031163%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20is%20%22Contributor%22%20role%20necessary%20on%20the%20Azure%20Databricks%20instance%3F%20Is%20there%20any%20other%20role%20with%20a%20lower%20privileges%20that%20be%20used%20to%20provision%20access%20to%20the%20data%20factory%20MSI%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2221625%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Databricks%20activities%20now%20support%20Managed%20Identity%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2221625%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F917777%22%20target%3D%22_blank%22%3E%40v-reprav%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20also%20add%20the%20ADF%20Managed%20Identity%20directly%20to%20the%20Databricks%20workspace%20using%20the%20Service%20Principal%20endpoint%20of%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdatabricks%2Fdev-tools%2Fapi%2Flatest%2Fscim%2Fscim-sp%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ESCIM%20API.%3C%2FA%3E%20This%20avoids%20granting%20the%20Managed%20Identity%20the%20Contributor%20role.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2491850%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Databricks%20activities%20now%20support%20Managed%20Identity%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2491850%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1002245%22%20target%3D%22_blank%22%3E%40AnnaDatabricks%3C%2FA%3E%26nbsp%3BI've%20added%20ADF%20managed%20identity%20to%20databricks%20workspace%20admin%20group%20using%20the%20SCIM%20endpoint%2C%20but%20that%20is%20not%20(yet)%20enough%20for%20ADF%20to%20be%20able%20to%20trigger%20notebook%20execution.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Nov 23 2020 05:58 AM
Updated by: