Access storage with Azure Active Directory
Registering an application with Azure Active Directory (Azure AD) creates a service principal you can use to provide access to Azure storage accounts. You can then configure access to these service principals using credentials stored withsecrets.
Databricks recommends using Azure Active Directory service principals scoped to clusters or SQL warehouses to configure data access. SeeConnect to Azure Data Lake Storage Gen2 and Blob StorageandEnable data access configuration.
Register an Azure Active Directory application
Registering an Azure AD applicationand assigning appropriate permissions will create a service principal that can access Azure Data Lake Storage Gen2 or Blob Storage resources.
To register an Azure AD application, you must have theApplicationAdministrator
role or theApplication.ReadWrite.All
permission in Azure Active Directory.
In the Azure portal, go to theAzure Active Directoryservice.
UnderManage, clickApp Registrations.
Click+ New registration. Enter a name for the application and clickRegister.
ClickCertificates & Secrets.
Click+ New client secret.
Add a description for the secret and clickAdd.
Copy and save the value for the new secret.
In the application registration overview, copy and save theApplication (client) IDandDirectory (tenant) ID.
Databricks recommends storing these credentials usingsecrets.
Assign roles
You control access to storage resources by assigning roles to an Azure AD application registration associated with the storage account. This example assigns theStorage Blob Data Contributorto an Azure storage account. You may need to assign other roles depending on specific requirements.
To assign roles on a storage account you must be an Owner or a user with the User Access Administrator Azure RBAC role on the storage account.
In the Azure portal, go to theStorage accountsservice.
Select an Azure storage account to use with this application registration.
ClickAccess Control (IAM).
Click+ Addand selectAdd role assignmentfrom the dropdown menu.
Set theSelectfield to the Azure AD application name and setRoletoStorage Blob Data Contributor.
ClickSave.