Create a Databricks service principal in your Databricks account

Question

My team is currently using Databricks personal access token to deploy Databricks Asset Bundle (DAB). We would like to use service principal as a long term solution. I came accross this Databricks link link on how to provision a service principal.

What I don't understand in this tutorial is Step 4. In order to create a Databricks personal access token for the Databricks service principal, one needs to use its own personal access token to create one. What happens if the person leaves, will its token still be valid or is it required to create a new Databricks personal access token for the Databricks service principal?

Answer 1

I don't believe the token will expire. The point is that the "person" (likely an administrative role) creates the token on behalf of the service principal.

The other option is creating an OAuth secret for the service principal. Because when you try to deploy the bundle, you will need to deploy on behalf of that service principal (if you want to have the job run as the service principal). This would require you to have the client_id and client_secret specified in your databricks config file on your machine.

Answer 2

In step 4 the credentials of the administrator executing the command to generate a the personal access token (PAT) for the service principal are used. However, the resulting PAT that will identify the service principal not the administrator who created it. It will be valid until/unless its lifetime expires.