cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Unable to Change Pipeline Ownership to Service Principal Despite Admin Permissions

abhi_dabhi
New Contributor

Thursday

Hello Databricks Community,

I am facing an issue with changing the ownership of an ETL pipeline to a service principal. Despite being the Databricks administrator with workspace and metastore admin permissions, I receive the following error: "Only admins can change pipeline owners. Please contact your Databricks administrator."

Steps I have already tried:
1. Verified Workspace and Metastore admin permissions.
2. Checked pipeline permissions (CAN MANAGE or IS OWNER).
3. Ran the pipeline at least once.

None of these steps have resolved the issue. I have also attached a screenshot of the issue I am facing. Has anyone encountered a similar problem or have any suggestions on how to proceed? Any help would be greatly appreciated!

Thank you,

Preview file
72 KB
0 Kudos
4 REPLIES 4

BigRoux
Databricks Employee
Databricks Employee

Thursday

I do believe that only a Metastore Admin can change ownership of a DLT pipeline configured with Unity Catalog. I am presuming your pipeline has been configured with Unity Catalog?

Cheers, Lou.

0 Kudos

abhi_dabhi
New Contributor
In response to BigRoux

yesterday

Yes, it's configured with Unity Catalog. Looks like after pipeline has been created, we can not change Owner for the pipeline and that's also for Databricks Administrator, so I was looking for a wat to change Owner while creating a pipeline and only way that can be possible is via Databricks API request to create pipeline and add different owner in the API payload. However, there is a catch, if I want to make service principal an owner of the pipeline, I need to add PAT for Service Principal in the API request. Now I am stuck at the point how to get PAT for Service Principal. I tried using Secret for Service Principal which I retrieved from Identity and Access in the Setting, but that secret value didn't work as PAT token. If you have any suggestions or leads, please let me know. Thank you!

0 Kudos

BigRoux
Databricks Employee
Databricks Employee

yesterday

Are you saying that you can't create a PAT token in the Databricks Workspace, or you can create a PAT token but don't have a secure way of using it with the API request? Please explain a bit more. 

Thanks, Lou.

0 Kudos

abhi_dabhi
New Contributor
In response to BigRoux

yesterday

Thanks for your response.

To clarify, yes, I can generate an Admin PAT token in the Databricks workspace — that part works fine.
However, I’m trying to achieve something more specific:

My use case:
I want to create a pipeline (such as a Delta Live Table pipeline) where the owner is a Service Principal (SP), not myself. The goal is to ensure the pipeline is owned and managed under the identity of the SP for automation and security boundary purposes.

In the normal workflow, if I use my own Admin PAT to create a pipeline via API, I become the owner, and there is currently no public API to change ownership afterward.

What I tried:
I found that the pipeline creation API supports an owner field in the request payload. I tested this and confirmed:

  • If I create a pipeline using my Admin PAT and set the owner field to a different identity (the Service Principal), it does not work — the owner field is ignored.

  • From my testing and understanding, the owner field is only honored if the authenticated identity matches the identity being set as owner.

The challenge:
To make the Service Principal the owner at creation time, I would need to authenticate the API request as the Service Principal — which means I need a PAT token for the Service Principal.

I explored the Token Management API to generate a PAT on behalf of the Service Principal. However, that approach is not feasible because:

The Token Management API (on-behalf-of) requires the token-management entitlement to be enabled for the Service Principal. This entitlement cannot be granted via the UI or API, and according to current documentation and support guidance, it is not possible to generate a PAT for a Service Principal through supported means unless that setup is already handled internally. So obtaining a PAT for the SP is currently not a viable option.

My questions:

  1. Is there any supported way to create a PAT for a Service Principal in order to authenticate as that identity during pipeline creation?

  2. If not, is there any alternative method to assign a Service Principal as the pipeline owner at creation time, or a supported way to transfer ownership to a Service Principal after creation?

  3. Is impersonation or delegation (acting on behalf of a Service Principal) possible in any form?

I would appreciate any insight or recommendations you can provide.

0 Kudos

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local community—sign up today to get started!

Sign Up Now
Announcements
OSZAR »