Skip to main content
NOTE: Datafold needs catalog-level permissions in your Databricks workspace to read and write table data, query system tables, and deploy migration bundles. You will need workspace admin access to create a service principal and grant the required permissions. Steps to complete:
  1. Create a service principal and configure authentication
  2. Retrieve SQL warehouse connection details
  3. Grant permissions
  4. Configure your data connection in Datafold

Create a service principal and configure authentication

Create a dedicated service principal for the Datafold integration. This is the identity Datafold will use to connect to your workspace.
  1. Go to SettingsIdentity and accessService principals
  2. Click Add service principal and give it a name (e.g., datafold)
  3. Select the service principal, go to the Secrets tab, and click Generate secret
  4. Save the Client ID and Secret — the secret is only shown once
OAuth secrets are valid for up to 730 days. You can have a maximum of 5 active secrets per service principal. Rotate secrets before expiry to avoid connection interruptions.
Datafold also supports Personal Access Tokens as an alternative authentication method. PATs are considered legacy by Databricks — see the Databricks authentication documentation for details.

Retrieve SQL warehouse connection details

Navigate to SQL Warehouses under the SQL section in the left sidebar. Choose the preferred warehouse and copy the following fields from its Connection Details tab:
  • Server hostname
  • HTTP path
You also need to grant the service principal access to the SQL warehouse:
  1. On the warehouse page, click the Permissions tab
  2. Add the service principal and grant Can Use permission

Grant permissions

Run the following SQL statements to grant Datafold the permissions it needs. Replace <catalog_name> and <service_principal_id> with your values. Replace <schema_name> with the schema where you want to store the DMA bundle volume (e.g., default).
The <service_principal_id> is the application ID (also called Client ID) of your service principal. In Databricks SQL, service principal identifiers must be enclosed in backticks.

(Optional) Additional grant for migrations

If you use Datafold to run migrations (its agents deploy and run Databricks Asset Bundles on this connection), also grant permission to create schemas. Each migration run materializes into a fresh schema created at deploy time. This is not needed for data diffing, monitoring, or lineage.
Authentication for migrations depends on the method. A service principal using M2M OAuth needs no additional token scope. If you use a Personal Access Token (legacy) instead, it must have the all-apis scope, because bundle deployment uploads files via the Databricks workspace-files API, which Databricks gates on all-apis even when narrower scopes are present.

Configure in Datafold

Select M2M OAuth / Service Principal (Recommended) as the authentication method and fill in the following fields:
FieldDescription
Connection nameA name for this data connection within Datafold
HostThe Server hostname from the warehouse Connection Details tab
HTTP pathThe HTTP path from the warehouse Connection Details tab
Authentication methodSelect M2M OAuth / Service Principal (Recommended)
Client IDThe Client ID of the service principal
Client SecretThe secret generated in the authentication step
CatalogThe default catalog name (e.g., hive_metastore or your Unity Catalog name)
Schema path for temporary tablesThe temp schema as <catalog_name>.datafold_tmp (e.g., demo.datafold_tmp)
Click Create. Your data connection is ready!

Validate your setup

Run these queries to verify that permissions are configured correctly: