Preview
This feature is in Public Preview in the following regions: us-east-1, us-west-2, eu-west-1, ap-southeast-1, ap-southeast-2, eu-central-1, us-east-2, ap-south-1.
This page describes how to authenticate to a Lakebase database instance. There are two ways to authenticate:
When you authenticate as a Databricks identity, you need to generate an OAuth token and use it as a password when connecting to Postgres.
Considerations before you beginâOAuth tokens expire after one hour, but expiration is enforced only at login. Open connections remain active even if the token expires. However, any PostgreSQL command that requires authentication fails if the token has expired.
OAuth tokens used for Postgres authentication are workspace-scoped and should belong to the same workspace that owns the database instance. Cross-workspace token authentication is not supported. To learn more about authentication, see Authentication for the Databricks CLI.
Token-based authentication requires a plaintext password, so only SSL connections are allowed. Ensure that the client library you use to access Postgres with token-based authentication is configured to establish an SSL connection.
If you are a database owner, admin, or your Databricks identity has a corresponding Postgres role for the database instance, you can obtain an OAuth token from the UI, the Databricks CLI, or one of the Databricks SDKs. You can restrict the scope of the token appropriately using the Databricks CLI.
For other Databricks identity users, see Authorize interactive access to Databricks resources with a user account using OAuth for the workspace-level authorization instructions to obtain OAuth tokens.
When your database instance Status is Available, use the Databricks UI to obtain an OAuth token:
When your database instance Status is Available, use the Databricks CLI v0.256.0 and later to obtain an OAuth token:
Bash
databricks database generate-database-credential \
--request-id $(uuidgen) \
--json '{
"instance_names": ["db-instance-name"]
}'
token from the response.
JSON
{
"expiration_time": "2025-08-24T14:15:22Z",
"token": "<string>"
}
For more information about using the Databricks CLI to obtain an OAuth token, see OAuth user-to-machine (U2M) authentication.
You can generate an OAuth token using the Databricks SDK for Python. Databricks SDK bindings are available in Databricks SDK for Python version v0.56.0.
If you are running with an older version of the SDK, run these commands first.
Python
%pip install --upgrade databricks-sdk
%restart_python
The Databricks SDK for Python generates a secure OAuth token, cred, for your database instance. Enter your database instance name where needed.
Python
from databricks.sdk import WorkspaceClient
import uuid
w = WorkspaceClient()
instance_name = "<YOUR INSTANCE>"
cred = w.database.generate_database_credential(request_id=str(uuid.uuid4()), instance_names=[instance_name])
You can generate an OAuth token using the Databricks SDK for Java. Database SDK bindings are available in Databricks SDK for Java version v0.53.0 or above. If you are running with an older version of the SDK, you might need to refresh the imported SDK. For more information, see here.
Scala
%scala
import com.databricks.sdk.WorkspaceClient
import com.databricks.sdk.service.database.GetDatabaseInstanceRequest
import com.databricks.sdk.service.database.GenerateDatabaseCredentialRequest
import com.databricks.sdk.service.database.DatabaseInstance
import com.databricks.sdk.service.database.DatabaseCredential
import java.util.Collections
import java.util.UUID
val w = new WorkspaceClient()
val instanceName = "<YOUR INSTANCE>"
val cred = w.database().generateDatabaseCredential(
new GenerateDatabaseCredentialRequest()
.setRequestId(UUID.randomUUID().toString())
.setInstanceNames(Collections.singletonList(instanceName))
)
System.out.println("Credential: " + cred.getToken())
To enable secure, automated (machine-to-machine) access to the database instance, you must obtain an OAuth token using a Databricks service principal. This process involves configuring the service principal, generating credentials, and minting OAuth tokens for authentication.
When your database instance Status is Available, use the Databricks CLI v0.256.0 and later to obtain an OAuth token:
Bash
databricks database generate-database-credential \
--request-id $(uuidgen) \
--json '{
"instance_names": ["db-instance-name"]
}'
token from the response.
JSON
{
"expiration_time": "2025-08-24T14:15:22Z",
"token": "<string>"
}
You can generate an OAuth token using the Databricks SDK for Python. Databricks SDK bindings are available in Databricks SDK for Python version v0.56.0.
If you are running with an older version of the SDK, run these commands first.
Python
%pip install --upgrade databricks-sdk
%restart_python
The Databricks SDK for Python generates a secure OAuth token, cred, for your database instance. Enter your database instance name where needed.
Python
from databricks.sdk import WorkspaceClient
import uuid
w = WorkspaceClient(
host = "https://<YOUR WORKSPACE URL>/",
client_id = "<YOUR SERVICE PRINCIPAL ID>",
client_secret = "REDACTED"
)
instance_name = "<YOUR INSTANCE>"
cred = w.database.generate_database_credential(request_id=str(uuid.uuid4()), instance_names=[instance_name])
You can generate an OAuth token using the Databricks SDK for Java. Database SDK bindings are available in Databricks SDK for Java version v0.53.0 or above. If you are running with an older version of the SDK, you might need to refresh the imported SDK. For more information, see here.
Scala
%scala
import com.databricks.sdk.WorkspaceClient
import com.databricks.sdk.core.DatabricksConfig
import com.databricks.sdk.service.database.GetDatabaseInstanceRequest
import com.databricks.sdk.service.database.GenerateDatabaseCredentialRequest
import com.databricks.sdk.service.database.DatabaseInstance
import com.databricks.sdk.service.database.DatabaseCredential
import java.util.Collections
import java.util.UUID
val config = new DatabricksConfig()
val w = new WorkspaceClient(config)
val instanceName = "<YOUR INSTANCE>"
val cred = w.database().generateDatabaseCredential(
new GenerateDatabaseCredentialRequest()
.setRequestId(UUID.randomUUID().toString())
.setInstanceNames(Collections.singletonList(instanceName))
)
System.out.println("Credential: " + cred.getToken())
note
Rotate OAuth tokens before hourly expiration:
If you have clients that do not support credential rotation after one hour, you can create native Postgres roles with passwords:
Click Compute in the workspace sidebar.
Click the Database instances tab.
Select the database instance you want to update.
Click Edit in the upper-right.
Turn on Enable Postgres Native Role Login.
Click Save.
Log into Postgres, or use the SQL Editor, to create a role with a password.
PostgreSQL
CREATE ROLE new_role LOGIN PASSWORD 'your strong password';
Grant additional Postgres permissions to the new role. See Grant Postgres roles privileges.
After obtaining a credential (OAuth token or password), you can connect to your database instance:
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4