Integrate with Databricks
Follow this step-by-step guide to allow SlashID to monitor and protect your Databricks account. This integration enables SlashID to track users, groups, service principals, personal access tokens, OAuth secrets, workspaces, secret scopes, and Unity Catalog data access (catalogs and schemas) across your Databricks environment.
Before starting
Before starting, ensure you have:
- Account admin privileges in your Databricks account console
- Your Databricks account ID (visible in the account console under your user menu)
- Permission to create service principals and generate OAuth secrets
- (Optional, for workspace-level inventory) permission to add the service principal as an admin to the workspaces you want monitored
If your endpoint or tenant restricts traffic by source IP, allow connections from SlashID's egress IPs published at https://cdn.slashid.com/egress.json. The list is global and stable; the syncToken field changes whenever the IPs change, so you can use it to detect drift.
The file follows the JAFAR draft format (A JSON-Based Format for Publishing IP Ranges of Automated HTTP Clients), the same convention major cloud providers use to publish their IP ranges.
Step 1: Create a service principal
- Open the Databricks account console (or
https://accounts.azuredatabricks.netfor Azure,https://accounts.gcp.databricks.comfor GCP) - Go to User management -> Service principals -> Add service principal
- Name it
SlashID Identity Protectionand click Add
Step 2: Grant the account admin role
- Open the service principal you just created
- In the Roles tab, enable Account admin
The account admin role is required to read account-level SCIM (users, groups, service principals), the workspace list, workspace permission assignments, and service principal OAuth secrets.
Step 3: Generate an OAuth secret
- Still on the service principal page, open the Credentials & secrets tab
- Click Generate secret and set a lifetime that matches your rotation policy
- Copy the Client ID and the Secret — the secret is shown only once
Step 4 (optional): Add the service principal to your workspaces
To inventory personal access tokens and secret scopes, and to read Unity Catalog catalogs, schemas, and grants, the service principal must be able to access your workspaces:
- In each workspace's Admin settings -> Identity and access -> Service principals, add
SlashID Identity Protection - Grant it the Admin role in the workspace (required by the Databricks Token Management and Secrets APIs)
Workspaces the service principal cannot access are skipped gracefully — the account-level sync still completes, you just won't see the per-workspace credential inventory for them.
Step 5: Create your Databricks↔SlashID integration
Go to the SlashID Console integrations page and create a new Databricks connection:
| SlashID Console field | Description | Example |
|---|---|---|
| Name of the connection | Arbitrary name for this connection | Databricks Production |
| Account console host | The Databricks account console URL for your cloud | https://accounts.cloud.databricks.com |
| Account ID | Your Databricks account ID (UUID) | a1b2c3d4-... |
| Client ID | The service principal's client ID from step 3 | 8f0a... |
| Client secret | The OAuth secret from step 3 | — |
| Authoritative status | Whether Databricks identities are the primary source of truth when reconciling identities across providers | Primary or Secondary |
Verification
After the integration is connected, SlashID will run a connection health check and start the first sync. Within a few minutes you should see:
- Users, groups, and service principals in the Identities view (service principals appear under non-human identities)
- Personal access tokens and OAuth secrets in the Credentials view
- Workspaces, secret scopes, metastores, catalogs, and schemas in the Resources view, with access relationships in the identity graph
Troubleshooting
Authentication failures
invalid_clientor 401 on connect: the client ID or secret is wrong, or the secret has expired. Generate a new secret (step 3) and update the connection.- Account host mismatch: make sure the account console host matches your cloud (
accounts.cloud.databricks.comfor AWS,accounts.azuredatabricks.netfor Azure,accounts.gcp.databricks.comfor GCP).
Permission errors
- 403 on users/groups/workspaces: the service principal is not an account admin — re-check step 2.
- Missing tokens or secret scopes for a workspace: the service principal is not an admin of that workspace — re-check step 4.
- No Unity Catalog data: the account has no Unity Catalog metastore, or the service principal cannot access any workspace attached to it.