Pattern 1: How Databricks AI products execute with a fixed service principal identity for automated jobs and consistent permissions.
📖 OAuth M2M DocumentationA scheduled job or workflow initiates the AI product — no human user is involved in this request.
Common triggers: cron schedules, CI/CD pipelines, event-driven workflows
The AI product runs as a Service Principal (sp-agent-prod) — a non-human identity with predefined permissions.
Databricks automatically manages short-lived OAuth credentials for the SP.
The OAuth server validates the SP and issues a scoped access token (Machine-to-Machine flow).
Token lifetime: 1 hour, auto-renewed, no manual rotation needed.
The AI product queries Unity Catalog as the Service Principal.
UC checks: Does sp-agent-prod have SELECT on this table?
Every execution gets identical permissions — the SP's grants don't change between runs.
All access is logged as sp-agent-prod for audit trails.
Service principals are non-human identities for automation and batch jobs.
Same permissions every execution — predictable, consistent access.
Databricks handles token rotation automatically. No secrets to manage.
All actions logged under the service principal name for compliance.