Databricks Community

andreapeterson · 3 weeks ago

Is there a way to programmatically create an OAuth secret for for a workspace service principal via API/SDK? As of now, the only way I can see doing this is through UI

Shua42 · 3 weeks ago

Hi @andreapeterson ,

Currently, there isn't support for creating OAuth secrets through the API, only through the UI in the admin console. You can create 'on behalf of' tokens through the API for service principals, but not an OAuth secret at the moment: https://docs.databricks.com/api/workspace/tokenmanagement/createobotoken

View solution in original post

vr · 2 weeks ago

@andreapeterson isn't it the API you are looking for?
https://docs.databricks.com/api/azure/account/serviceprincipalsecrets/create

It is an account-level API, but, counterintuitively, when we create service principals in the workspace, they propagate into account behind the scene! If you create an account-level SP right away, it will not be added into any workspace, but can be added later using workspace-level create method. It is pretty confusing, because when we do that in the UI, these details are hidden from us. At least this is how it works in my Azure environment. It took me a while to realize that.

To summarize, in your case you need to try to create OAuth secret using the account-level API I gave, even though you created it in the workspace. Hopefully you have permissions to call account API in your org.

View solution in original post

Shua42 · 3 weeks ago

Hi @andreapeterson ,

Currently, there isn't support for creating OAuth secrets through the API, only through the UI in the admin console. You can create 'on behalf of' tokens through the API for service principals, but not an OAuth secret at the moment: https://docs.databricks.com/api/workspace/tokenmanagement/createobotoken

andreapeterson · 2 weeks ago

Hi Shua,
Thanks for responding. What is the difference between a token and OAuth? I only see OAuth in UI.
Also, is adding OAuth secrets for a service principal via api on the road map for Databricks?

vr · 2 weeks ago

@andreapeterson isn't it the API you are looking for?
https://docs.databricks.com/api/azure/account/serviceprincipalsecrets/create

It is an account-level API, but, counterintuitively, when we create service principals in the workspace, they propagate into account behind the scene! If you create an account-level SP right away, it will not be added into any workspace, but can be added later using workspace-level create method. It is pretty confusing, because when we do that in the UI, these details are hidden from us. At least this is how it works in my Azure environment. It took me a while to realize that.

To summarize, in your case you need to try to create OAuth secret using the account-level API I gave, even though you created it in the workspace. Hopefully you have permissions to call account API in your org.

andreapeterson · a week ago

This was exactly it! I do have permissions to call account api's in my org, however I did not realize I could call that api to make oauth secrets for other various workspace principals, so thank you so much for helping me and finding this and explaining that, it is confusing the propagation behind the scenes but I think I am finally getting the hang of it haha. Thank you again this was a great find

Databricks Community

OAuth API for service user

Join Us as a Local Community Builder!

DAIS 2025: The Biggest Week for Data + AI is Almost Here!

Register now and save 50% on training at Data + AI Summit

Meet the Databricks MVPs at Data + AI Summit

DAIS 2025 Virtual Learning Festival: 11 June - 02 July 2025

DAIS Week Vibes Incoming: Get Ready to Engage and Win!