subcategory |
---|
Security |
This resource creates On-Behalf-Of tokens for a databricks_service_principal in Databricks workspaces on AWS. It is very useful, when you want to provision resources within a workspace through narrowly-scoped service principal, that has no access to other workspaces within the same Databricks Account.
Creating a token for a narrowly-scoped service principal, that would be the only one (besides admins) allowed to use PAT token in this given workspace, keeping your automated deployment highly secure. Keep in mind, that given declaration of databricks_permissions.token_usage
would remove permissions to use PAT tokens from users
group.
resource "databricks_service_principal" "this" {
display_name = "Automation-only SP"
}
resource "databricks_permissions" "token_usage" {
authorization = "tokens"
access_control {
service_principal_name = databricks_service_principal.this.application_id
permission_level = "CAN_USE"
}
}
resource "databricks_obo_token" "this" {
depends_on = [databricks_permissions.token_usage]
application_id = databricks_service_principal.this.application_id
comment = "PAT on behalf of ${databricks_service_principal.this.display_name}"
lifetime_seconds = 3600
}
output "obo" {
value = databricks_obo_token.this.token_value
sensitive = true
}
Creating a token for a service principal with admin privileges
resource "databricks_service_principal" "this" {
display_name = "Terraform"
}
data "databricks_group" "admins" {
display_name = "admins"
}
resource "databricks_group_member" "this" {
group_id = data.databricks_group.admins.id
member_id = databricks_service_principal.this.id
}
resource "databricks_obo_token" "this" {
depends_on = [databricks_group_member.this]
application_id = databricks_service_principal.this.application_id
comment = "PAT on behalf of ${databricks_service_principal.this.display_name}"
lifetime_seconds = 3600
}
The following arguments are required:
application_id
- Application ID of databricks_service_principal to create PAT token for.lifetime_seconds
- (Integer) The number of seconds before the token expires. Token resource is re-created when it expires.comment
- (String) Comment that describes the purpose of the token.
In addition to all arguments above, the following attributes are exported:
id
- Canonical unique identifier for the token.token_value
- Sensitive value of the newly-created token.
-> Note Importing this resource is not currently supported.
The following resources are often used in the same context:
- End to end workspace management guide.
- databricks_group data to retrieve information about databricks_group members, entitlements and instance profiles.
- databricks_group_member to attach users and groups as group members.
- databricks_permissions to manage access control in Databricks workspace.
- databricks_service_principal to manage Service Principals that could be added to databricks_group within workspace.
- databricks_sql_permissions to manage data object access control lists in Databricks workspaces for things like tables, views, databases, and more.