Welcome to the Alteryx Knowledge Base

Configure OAuth access to Databricks using service principals and OAuth (Client Credentials flow)
user

Created/Edited - 1/27/2026 by Renat Ishmukhamedov | Alteryx

How To

Access Databricks with native OAuth using Machine to Machine (M2M) flow from Alteryx Designer

Environment
  • Alteryx Designer
    • Version 25.1+
  • Databricks
Prerequisites
  • Databricks admin access
Procedure

Important: Please note, this authentication method is only supported in Alteryx Designer versions 25.1 and above.

 

For supported connection methods in earlier versions, refer to the Databricks and Alteryx Guide or consult your system administrator.

Machine-to-Machine (M2M) authentication in Databricks enables automated, unattended access to Databricks resources. This is particularly useful for CI/CD pipelines, automated scripts, or other non-interactive processes. Databricks supports OAuth 2.0 as the preferred protocol for M2M authentication, leveraging service principals for secure access.

The Machine to Machine (M2M) flow is also known as the 2-legged OAuth and OAuth Client Credentials Flow or service account flow.

 

1.png

 

 

Understanding the Databricks native-OAuth (machine-to-machine) flow

Pros

  • Industry standard, and recommended by Databricks - This is the industry standard for the Machine-to-Machine (M2M) authentication.
  • Reduces risk of token misuse - The flow results in a short-lived access token, used to establish a connection to Databricks, which mitigates the risk of token misuse. 
  • Ideal for automation scenarios - The M2M flow doesn’t require direct human interaction, which makes it ideal for automated runs, such as running on Alteryx Server.

 

Cons

  • Client secret lifetime - to run automated workflows, organizations are required to configure a reasonable lifetime for client secrets and are required to set up a process of monitoring and updating client secrets.
  • Internal policies - organizations might have internal mandate to only rely on the M2M flow for automated runs, making this authentication not suitable for human-triggered executions. The U2M, user-to-machine, OAuth flow can be used for human-triggered runs, instead.

Detailed instructions covering how to setup this flow for your Databricks instance and create a connection from Alteryx can be found below.

Setup

To configure the M2M OAuth flow for your Databricks environment, the Databricks admin must collect the relevant connection information from Databricks. Then, the connection can be created by a Designer User or Server admin in Alteryx.

High-level steps:

  • Create a service principal

  • Configure OAuth credentials for the service principal

  • Collect token endpoint value

  • Setup a new Databricks connection in Alteryx Designer

Step 1: Create a service principal

As account admin:

  • Navigate to your Databricks management console and select User management.

 

 

 

  • Next, switch to the service principals tab.

 

 

  • Click “Add service principal” button.

  • Provide a descriptive name to the service principal and click Add.

 

Step 2: Configure OAuth credentials for the service principal

  • Upon saving, navigate and clicked the service principal we’ve just created;

 

 

  • Navigate to the OAuth secrets section and click Generate secret.

 

 

  • Set client secret lifetime (we recommended setting at least 60 days to avoid frequent updates) and click Next.

  • Copy and save client ID and client secret values, they will be used later. Store these securely.

 

 

  • Grant workspace and resource access to the service principal

    • Assign it to relevant groups or roles required for the workload.

    • Include cluster/SQL warehouse access.

 

 

 

    • Click on the workspace and navigate to permissions. Select “Add permissions”.

 

 

    • Select the service principal we created earlier and assign it with a role;

 

 

    • Save the permission

Step 3: Collect the token endpoint

The token endpoint can be created by simply appending oidc/v1/token to your Databricks workspace url, as following https://{databricks_workspace_id}.cloud.databricks.com/oidc/v1/token.

For example: https://dbc-2cdb3c7a-2757.cloud.databricks.com/oidc/v1/token

Step 4: Setup a new Databricks connection in Alteryx Designer

Finally, let’s setup a new Databricks connection in Alteryx Designer.

 

  1. Drag an Input Data tool onto the canvas and select Set up a connection.
  2. Open the Data Sources tab, locate Databricks, and select Quick Connect.

  3. Enter the required connection details, then click + Connect Credentials.

  4. Under Authentication Method, select GenericOAuth2 and set Grant Type to Client Credentials.

 

 

  1. Provide the following values:
    • Token Endpoint

    • Client ID

    • Client Secret
      (Use the values generated when configuring the Databricks OAuth client.)

  1. For Scope, enter all-apis (the scope configured for the OAuth client).

 

 

  1. Click Test Connection and confirm the connection is successful.

 

 

  1. Click Create and Link to associate the authentication method with the connection.
  2. Click Connect to access your Databricks data.
Was this article helpful?