Set an unlimited lifetime for service principal access token

Configure an extended or unlimited lifetime for a service principal access token.

Written by monica.cao

Last published at: November 8th, 2022
Delete

Info

This article applies to clusters using Databricks Runtime 11.2 and above on AWS.

You are using Databricks service principals to delegate permissions to automated tools and systems. In order to secure the service principals, Databricks recommends creating an access token for the service principal.

Please review the create a Databricks access token for a Databricks service principal documentation for more information.

You should also review the manage service principals and personal access tokens documentation which covers using service principals with Partner Connect.

By default, the access token has a limited lifespan, defined in seconds. This is defined in the JSON block when calling the Token Management API to create the access token for the service principal.

{
"application_id": "<application-id>",
"comment": "<comment>",
"lifetime_seconds": 1209600
}

Instructions

There are some use cases, such as setting up an automation pipeline, where you may want the service principal to have an access token with a long expiration.

Delete

Warning

Although it is possible to configure service principals with access tokens that do not expire, it is not recommended for standard use cases. Access tokens that do not expire do not follow security best practices. They may also cause issues during a compliance audit.

Long life access token

To configure a security principal access token for a long life, determine the number of days the token needs to be active and multiply it by 86400. 86400 is the number of seconds in one day.

For example, if you want a security token to last for 30 days, set the lifetime to 2592000 (30 x 86400) seconds when creating the security token.

{
"application_id": "<application-id>",
"comment": "<comment>",
"lifetime_seconds": 2592000
}

Unlimited life access token

To configure a security principal access token that does not expire, set the lifetime to -1 seconds when creating the security token.

{
"application_id": "<application-id>",
"comment": "<comment>",
"lifetime_seconds": -1
}