| subcategory |
|---|
Security |
This resource creates On-Behalf-Of tokens for a databricks_service_principal in Databricks workspaces on AWS. It is very useful, when you want to provision resources within a workspace through narrowly-scoped service principal, that has no access to other workspaces within the same Databricks Account.
Creating a token for a narrowly-scoped service principal, that would be the only one (besides admins) allowed to use PAT token in this given workspace, keeping your automated deployment highly secure.
-> A given declaration of databricks_permissions.token_usage would OVERWRITE permissions to use PAT tokens from any existing groups with token usage permissions such as the users group. To avoid this, be sure to include any desired groups in additional access_control blocks in the Terraform configuration file.
resource "databricks_service_principal" "this" {
display_name = "Automation-only SP"
}
resource "databricks_permissions" "token_usage" {
authorization = "tokens"
access_control {
service_principal_name = databricks_service_principal.this.application_id
permission_level = "CAN_USE"
}
}
resource "databricks_obo_token" "this" {
depends_on = [databricks_permissions.token_usage]
application_id = databricks_service_principal.this.application_id
comment = "PAT on behalf of ${databricks_service_principal.this.display_name}"
lifetime_seconds = 3600
}
output "obo" {
value = databricks_obo_token.this.token_value
sensitive = true
}Creating a token for a service principal with admin privileges
resource "databricks_service_principal" "this" {
display_name = "Terraform"
}
data "databricks_group" "admins" {
display_name = "admins"
}
resource "databricks_group_member" "this" {
group_id = data.databricks_group.admins.id
member_id = databricks_service_principal.this.id
}
resource "databricks_obo_token" "this" {
depends_on = [databricks_group_member.this]
application_id = databricks_service_principal.this.application_id
comment = "PAT on behalf of ${databricks_service_principal.this.display_name}"
lifetime_seconds = 3600
}The following arguments are required:
application_id- Application ID of databricks_service_principal to create a PAT token for.lifetime_seconds- (Integer, Optional) The number of seconds before the token expires. Token resource is re-created when it expires. If no lifetime is specified, the token remains valid indefinitely.comment- (String, Optional) Comment that describes the purpose of the token.
In addition to all arguments above, the following attributes are exported:
id- Canonical unique identifier for the token.token_value- Sensitive value of the newly-created token.
!> Importing this resource is not currently supported.
The following resources are often used in the same context:
- End to end workspace management guide.
- databricks_group data to retrieve information about databricks_group members, entitlements and instance profiles.
- databricks_group_member to attach users and groups as group members.
- databricks_permissions to manage access control in Databricks workspace.
- databricks_service_principal to manage Service Principals that could be added to databricks_group within workspace.
- databricks_sql_permissions to manage data object access control lists in Databricks workspaces for things like tables, views, databases, and more.