Connect to Databricks using the SQL Statement Execution API
authenticated by an OAuth service principal. Queries run on a SQL warehouse against the
catalogs, schemas, and tables.
For least-privilege access, create a dedicated service principal for Reeflow rather than using an admin account. Databricks’ Unity Catalog privileges reference covers the available grants in detail.
In your workspace, click your username in the top right, then Settings
Go to Identity and access, then next to Service principals click Manage
Click Add service principal, enter a name (e.g. reeflow), and click Add
Grant Can use on your SQL warehouse: navigate to SQL Warehouses, open the warehouse, click Permissions, and add the service principal with Can use
Then grant catalog-level read access by running the following as a Unity Catalog metastore admin, customising the principal, catalog, and schema names to match your environment:
-- Grant catalog visibility and read access on every schema, table, and view
GRANT USE CATALOG ON CATALOG main TO `reeflow_reader`;
GRANT USE SCHEMA ON CATALOG main TO `reeflow_reader`;
GRANT SELECT ON CATALOG main TO `reeflow_reader`;
Reeflow authenticates with Databricks using OAuth M2M (machine-to-machine) via a service principal. Reeflow exchanges the client credentials for a short-lived bearer token automatically on each connection.
Use the service principal created in the previous section, or an existing one. Then:
Click your username in the top right, go to Settings, then Identity and access, then next to Service principals click Manage
Click the service principal name to open the Service principal details page
Open the Secrets tab and click Generate secret
Copy the Secret and note the Client ID from the dialog. Databricks will not show the secret again.
When creating a Databricks connection in Reeflow, provide the following:
Field
Description
Workspace host
Databricks workspace hostname, without the https:// prefix. For example, dbc-12345678-90ab.cloud.databricks.com or adb-1234567890123456.7.azuredatabricks.net.
Client ID
The service principal’s Client ID, shown in the Generate secret dialog alongside the secret.
OAuth secret
The secret generated on the Secrets tab of the service principal details page.
SQL warehouse
The warehouse used to execute queries. Reeflow lists the warehouses available to the service principal.
Catalog
Default catalog queries are issued against.
Schema
Optional default schema. Defaults to default when omitted.