- Create a service principal and configure authentication
- Retrieve SQL warehouse connection details
- Grant permissions
- Configure your data connection in Datafold
Create a service principal and configure authentication
Create a dedicated service principal for the Datafold integration. This is the identity Datafold will use to connect to your workspace.- Go to Settings → Identity and access → Service principals
- Click Add service principal and give it a name (e.g.,
datafold) - Select the service principal, go to the Secrets tab, and click Generate secret
- Save the Client ID and Secret — the secret is only shown once
OAuth secrets are valid for up to 730 days. You can have a maximum of 5 active secrets per service principal. Rotate secrets before expiry to avoid connection interruptions.
Datafold also supports Personal Access Tokens as an alternative authentication method. PATs are considered legacy by Databricks — see the Databricks authentication documentation for details.
Retrieve SQL warehouse connection details
Navigate to SQL Warehouses under the SQL section in the left sidebar. Choose the preferred warehouse and copy the following fields from its Connection Details tab:- Server hostname
- HTTP path
- On the warehouse page, click the Permissions tab
- Add the service principal and grant Can Use permission
Grant permissions
Run the following SQL statements to grant Datafold the permissions it needs. Replace<catalog_name> and <service_principal_id> with your values. Replace <schema_name> with the schema where you want to store the DMA bundle volume (e.g., default).
The
<service_principal_id> is the application ID (also called Client ID) of your service principal. In Databricks SQL, service principal identifiers must be enclosed in backticks.(Optional) Additional grant for migrations
If you use Datafold to run migrations (its agents deploy and run Databricks Asset Bundles on this connection), also grant permission to create schemas. Each migration run materializes into a fresh schema created at deploy time. This is not needed for data diffing, monitoring, or lineage.Authentication for migrations depends on the method. A service principal using M2M OAuth needs no additional token scope. If you use a Personal Access Token (legacy) instead, it must have the
all-apis scope, because bundle deployment uploads files via the Databricks workspace-files API, which Databricks gates on all-apis even when narrower scopes are present.Configure in Datafold
Select M2M OAuth / Service Principal (Recommended) as the authentication method and fill in the following fields:| Field | Description |
|---|---|
| Connection name | A name for this data connection within Datafold |
| Host | The Server hostname from the warehouse Connection Details tab |
| HTTP path | The HTTP path from the warehouse Connection Details tab |
| Authentication method | Select M2M OAuth / Service Principal (Recommended) |
| Client ID | The Client ID of the service principal |
| Client Secret | The secret generated in the authentication step |
| Catalog | The default catalog name (e.g., hive_metastore or your Unity Catalog name) |
| Schema path for temporary tables | The temp schema as <catalog_name>.datafold_tmp (e.g., demo.datafold_tmp) |
