Skip to content

Commit ca6fc87

Browse files
rephusrephus
authored
M self-host/customize-deployment/environment-variables.mdx (#562)
1 parent 3760b96 commit ca6fc87

1 file changed

Lines changed: 49 additions & 2 deletions

File tree

self-host/customize-deployment/environment-variables.mdx

Lines changed: 49 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -584,8 +584,8 @@ The admin, organization, and API key variables from [Initialize instance](#initi
584584
| `catalog` | No | Unity Catalog name. |
585585
| `authenticationType` | No | One of `personal_access_token` (default), `oauth_m2m`, `oauth_u2m`. |
586586
| `personalAccessToken` | If `authenticationType=personal_access_token` | Databricks PAT (starts with `dapi_`). |
587-
| `oauthClientId` | If `authenticationType=oauth_m2m` | Service Principal client ID. |
588-
| `oauthClientSecret` | If `authenticationType=oauth_m2m` | Service Principal client secret. |
587+
| `oauthClientId` | If `authenticationType=oauth_m2m` | Databricks Service Principal client ID (a UUID). |
588+
| `oauthClientSecret` | If `authenticationType=oauth_m2m` | Databricks Service Principal client secret. |
589589
| `compute` | No | Array of extra SQL warehouses: `[{ "name": "...", "httpPath": "..." }]`. |
590590
| `startOfWeek` | No | Day to use as start of week (default=`SUNDAY`). |
591591
| `dataTimezone` | No | Project-level timezone override. |
@@ -649,6 +649,53 @@ export LD_SETUP_PROJECTS='[
649649
**Quote the whole value in single quotes** in your shell so that `$`, backticks, and double quotes inside the JSON are not re-interpreted. When injecting via a secret manager or Kubernetes `Secret`, no escaping is needed — just paste the JSON as-is.
650650
</Note>
651651

652+
### Databricks M2M OAuth example
653+
654+
Use a [Databricks Service Principal](https://docs.databricks.com/aws/en/dev-tools/auth/oauth-m2m) when you want non-interactive, machine-to-machine authentication instead of a PAT. Lightdash exchanges the `client_id` + `client_secret` for an access token automatically on the first compile and refreshes it as needed — no user interaction is required.
655+
656+
```bash
657+
export LD_SETUP_ADMIN_EMAIL="admin@example.com"
658+
export LD_SETUP_PROJECTS='[
659+
{
660+
"name": "Sales (Databricks M2M)",
661+
"warehouseConnection": {
662+
"type": "databricks",
663+
"serverHostName": "dbc-xxxx.cloud.databricks.com",
664+
"httpPath": "/sql/1.0/warehouses/abc123",
665+
"catalog": "lightdash_prod",
666+
"database": "sales",
667+
"authenticationType": "oauth_m2m",
668+
"oauthClientId": "00000000-0000-0000-0000-000000000000",
669+
"oauthClientSecret": "dose...secret..."
670+
},
671+
"dbtConnection": {
672+
"type": "github",
673+
"authorization_method": "personal_access_token",
674+
"personal_access_token": "ghp_...",
675+
"repository": "myorg/dbt-sales",
676+
"branch": "main",
677+
"project_sub_path": "/"
678+
}
679+
}
680+
]'
681+
```
682+
683+
If you already have an M2M Service Principal configured for dbt, the field names are different. Map your dbt profile fields to Lightdash's `warehouseConnection` like this:
684+
685+
| `profiles.yml` (dbt) | `LD_SETUP_PROJECTS` (Lightdash) |
686+
| :------------------------ | :------------------------------ |
687+
| `host` | `serverHostName` |
688+
| `http_path` | `httpPath` |
689+
| `catalog` | `catalog` |
690+
| `schema` | `database` |
691+
| `auth_type: oauth` | `authenticationType: "oauth_m2m"` |
692+
| `client_id` | `oauthClientId` |
693+
| `client_secret` | `oauthClientSecret` |
694+
695+
<Note>
696+
M2M is non-interactive by design — Lightdash uses the OAuth client-credentials grant. No browser popup, no per-user sign-in. The Service Principal needs `CAN USE` on the SQL warehouse and the appropriate `SELECT`/`USE CATALOG`/`USE SCHEMA` grants on your data.
697+
</Note>
698+
652699
### Validation
653700

654701
`LD_SETUP_PROJECTS` is parsed and validated at boot. Lightdash will **fail to start with a descriptive error** if any of the following are true:

0 commit comments

Comments
 (0)