Beta ProductSQL Proxy is currently in beta. Features and APIs may change.
Datafold Admin Account
Datafold requires an admin account to manage infrastructure on your behalf:
- Spin up/down SQL warehouses
- Log query metadata for routing optimization
Setup
Create a service principal or use an existing one with the following permissions:
| Resource | Permission | Purpose |
|---|
| SQL Warehouses | CAN MANAGE | Start/stop warehouses, modify settings |
| Unity Catalog | USE CATALOG, USE SCHEMA | Access metadata for routing |
datafold_sql_proxy schema | CREATE TABLE, INSERT, SELECT | Query logging and routing optimization |
User Authentication
Users authenticate with their own Databricks credentials. SQL Proxy passes these through to Databricks unchanged.
PAT (Personal Access Token)
Use your existing Databricks PAT:
# dbt profiles.yml
my_project:
outputs:
prod:
type: databricks
host: sqlproxy.your-company.datafold.com
http_path: /sql/1.0/warehouses/proxy
token: "{{ env_var('DATABRICKS_TOKEN') }}"
M2M OAuth (Service Principal)
Use your existing Databricks service principal:
# dbt profiles.yml
my_project:
outputs:
prod:
type: databricks
host: sqlproxy.your-company.datafold.com
http_path: /sql/1.0/warehouses/proxy
auth_type: oauth
client_id: "{{ env_var('DATABRICKS_CLIENT_ID') }}"
client_secret: "{{ env_var('DATABRICKS_CLIENT_SECRET') }}"
Required User Permissions
Since authentication is passthrough, users need the same Databricks permissions they would need when connecting directly.
SQL Warehouse Access
| Permission | Grants |
|---|
| CAN USE | Execute queries on the warehouse |
Jobs Compute Access
For @datafold:jobs_compute routing:
| Permission | Grants |
|---|
| CAN MANAGE RUN | Execute jobs |
| CAN MANAGE | Create and edit jobs |
Unity Catalog Access
Standard Unity Catalog privileges on catalogs, schemas, and tables:
- USE CATALOG
- USE SCHEMA
- SELECT (for reading data)
- MODIFY (for writing data)
Authentication Flow
The proxy also uses the Datafold admin account separately for infrastructure management (not shown).