Dependencies
Because apps are portable (i.e. they can be built once and then deployed in multiple accounts and workspaces), they cannot be built with dependencies on any specific Databricks resource. And, because they are sandboxed (i.e. configured with the least privileges they need to work), they should not create new resources. Instead, apps must rely on an approach coordinated by the platform to resolve dependencies. An app may require resources native to Databricks such as a data warehouse or a serving endpoint, etc. Each app will have a service principal with it and during app creation or update we will grant the app's service principal specified permissions on resource dependencies. During app deletion, we will revoke all the app's service principal permissions on app dependencies.
App developers need to specify these dependencies as part of app creation or update. App developers must have granting permissions on resources to be able to modify specific resource permissions. This is an important security aspect of apps, as they should be modeled as an independent user (specially now with autonomous agents!).
App Dependency Type
Right now, we support four types of dependencies: "secret", "serving_endpoint", "job" and "sql_warehouse".
App Dependency Config
Secret
| Field Name |
Field Type |
Description |
scope |
string |
The scope of the Databricks secret. |
key |
string |
The key of the Databricks secret. |
permission |
string |
The permission level applied to the app service principal. Enum: READ | WRITE | MANAGE |
Serving endpoint
| Field Name |
Field Type |
Description |
name |
string |
The name of the serving endpoint. |
permission |
string |
The permission level applied to the app service principal. Enum: CAN_MANAGE | CAN_QUERY | CAN_VIEW |
SQL Warehouse
| Field Name |
Field Type |
Description |
id |
string |
The id of the SQL Warehouse. |
permission |
string |
The permission level applied to the app service principal. Enum: CAN_MANAGE | IS_OWNER | CAN_USE |
Job
| Field Name |
Field Type |
Description |
id |
string |
The id of the job. |
permission |
string |
The permission level applied to the app service principal. Enum: CAN_MANAGE | IS_OWNER | CAN_MANAGE_RUN | CAN_VIEW |
App Dependency Fields
| Field Name |
Field Type |
Description |
name |
string |
The name of the dependency. |
{{dependency}} |
struct |
Field name depends on dependency type. Available options are: "job", "serving_endpoint", "secret", "sql_warehouse". Value is specified above. |
Create App Example
{
"name": "myApp",
"dependencies": [
{
"name": "my-job",
"job": {
"id": "585285522191412",
"permission": "CAN_MANAGE"
}
},
{
"name": "test-secret",
"secret": {
"scope": "test-scope",
"key": "test-key",
"permission": "READ"
}
},
{
"name": "ml-endpoint",
"serving_endpoint": {
"name": "my-test-endpoint",
"permission": "CAN_QUERY"
}
},
{
"name": "warehouse",
"sql_warehouse": {
"id": "5846a30dd6657766",
"permission": "CAN_USE"
}
}
]
}
Update App Example
{
"name": "myApp",
"dependencies": [
{
"name": "warehouse-1",
"sql_warehouse": {
"id": "5846a30dd6657766",
"permission": "CAN_USE"
}
},
{
"name": "test-secret",
"secret": {
"scope": "test-scope",
"key": "test-key",
"permission": "READ"
}
},
{
"name": "warehouse-2",
"sql_warehouse": {
"id": "5846a30dd6656642",
"permission": "CAN_MONITOR"
}
}
]
}
App Databricks secret mounted As environment variable
We support secrets specified in app dependencies to be mounted as environment variables. See below how to reference a secret from the app.yaml.
app.yaml
command:
- uvicorn
- app:app
env:
- name: "MY_NON_SECRET_VAR"
value: "123"
- name: "MY_SECRET_VAR"
valueFrom: "test-secret"
valueFrom: {dependency_name}. {dependency_name} should be the name of the secret dependency specified in app dependencies. We will mount the value read from the Databricks secret.