CData Python Connector for Lakebase

Build 25.0.9454

Setting Up OAuthClient Authentication

Setting Up OAuthClient Authentication

Lakebase supports the OAuth 2.0 standard, which allows service accounts to access Lakebase resources directly without requiring any specific user to grant access The connector facilitates this OAuth exchange to obtain and refresh access tokens on the service principal's behalf.

Note: To learn more about managing OAuth connections in Lakebase, see "Authorize unattended access to Databricks resources with a service principal using OAuth" in the Databricks documentation.

Process Summary

Setting up OAuthClient authentication entails the following steps:

  1. Creating and configuring a new service principal
  2. Assigning permissions to the service principal
  3. Creating an OAuth secret for the service principal

Create the Service Principal

To create a new service principal in a Databricks Lakebase workspace:

  1. As a workspace admin, log in to the Databricks Lakebase workspace.
  2. At the top bar of the workspace, click your username.
  3. Select Settings.
  4. Click the Identity and access tab.
  5. Next to Service principals, click Manage.
  6. Click Add service principal.
  7. At the search box, click the drop-down arrow.
  8. Select Add new.
  9. Enter a name for the new service principal.
  10. Click Add.

The service principal is added to both your workspace and the Databricks Lakebase account.

For further information, see Add service principals to your account.

Assign Permissions

To assign the necessary permissions to the new service principal:

  1. To open the details page of the new service principal, click its name.
  2. On the Configurations tab, check the box next to each entitlement that you want your service principal to have for this workspace.
  3. To save the new entitlements, click Update.
  4. On the Permissions tab, grant access to any Databricks users, service principals, and groups that you want to manage and use this service principal.

For further information, see Manage roles on a service principal.

Create an OAuth Secret

Before you can use OAuth to authorize access to your database resources, you must first create an OAuth secret. The OAuth secret is used to generate OAuth access tokens for authentication.

OAuth secrets have a maximum lifetime of two years. A service principal can have up to five OAuth secrets.

As either an account admin or a workspace admin:

  1. At the new service principal's details page, in the Developer Service Principal section, click the Secrets tab.
  2. Under OAuth secrets, click the Generate secret button.
  3. Enter the desired lifetime for the secret in days, up to a maximum of 730 days (two years). The admin console displays updated details about the new service principal, including the OAuth secret and the Client ID (which is the same as the service principal's application ID).
  4. Record the Secret and Client ID for later use. The secret is only revealed once, to be sure to save this information in a safe place.

Note: To learn more about managing OAuth connections in Lakebase, see "Enable or Disable OAuth" in the Databricks Lakebase documentation.

Copyright (c) 2025 CData Software, Inc. - All rights reserved.
Build 25.0.9454