| subcategory |
|---|
Security |
Directly manage Service Principals that could be added to databricks_group in Databricks workspace or account.
-> Note To assign account level service principals to workspace use databricks_mws_permission_assignment.
To create service principals in the Databricks account, the provider must be configured with host = "https://accounts.cloud.databricks.com" on AWS deployments or host = "https://accounts.azuredatabricks.net" and authenticate using AAD tokens on Azure deployments
Creating regular service principal:
resource "databricks_service_principal" "sp" {
application_id = "00000000-0000-0000-0000-000000000000"
}Creating service principal with administrative permissions - referencing special admins databricks_group in databricks_group_member resource:
data "databricks_group" "admins" {
display_name = "admins"
}
resource "databricks_service_principal" "sp" {
application_id = "00000000-0000-0000-0000-000000000000"
}
resource "databricks_group_member" "i-am-admin" {
group_id = data.databricks_group.admins.id
member_id = databricks_service_principal.sp.id
}Creating service principal with cluster create permissions:
resource "databricks_service_principal" "sp" {
application_id = "00000000-0000-0000-0000-000000000000"
display_name = "Example service principal"
allow_cluster_create = true
}Creating service principal in AWS Databricks account:
// initialize provider at account-level
provider "databricks" {
alias = "mws"
host = "https://accounts.cloud.databricks.com"
account_id = "00000000-0000-0000-0000-000000000000"
username = var.databricks_account_username
password = var.databricks_account_password
}
resource "databricks_service_principal" "sp" {
provider = databricks.mws
display_name = "Automation-only SP"
}Creating service principal in Azure Databricks account:
// initialize provider at Azure account-level
provider "databricks" {
alias = "azure_account"
host = "https://accounts.azuredatabricks.net"
account_id = "00000000-0000-0000-0000-000000000000"
auth_type = "azure-cli"
}
resource "databricks_service_principal" "sp" {
provider = databricks.azure_account
application_id = "00000000-0000-0000-0000-000000000000"
}-> application_id is required on Azure Databricks and is not allowed on other clouds. display_name is required on all clouds except Azure.
The following arguments are available:
application_id- This is the Azure Application ID of the given Azure service principal and will be their form of access and identity. On other clouds than Azure this value is auto-generated.display_name- (Required) This is an alias for the service principal and can be the full name of the service principal.external_id- (Optional) ID of the service principal in an external identity provider.allow_cluster_create- (Optional) Allow the service principal to have cluster create privileges. Defaults to false. More fine grained permissions could be assigned with databricks_permissions andcluster_idargument. Everyone withoutallow_cluster_createargument set, but with permission to use Cluster Policy would be able to create clusters, but within the boundaries of that specific policy.allow_instance_pool_create- (Optional) Allow the service principal to have instance pool create privileges. Defaults to false. More fine grained permissions could be assigned with databricks_permissions and instance_pool_id argument.databricks_sql_access- (Optional) This is a field to allow the group to have access to Databricks SQL feature through databricks_sql_endpoint.workspace_access- (Optional) This is a field to allow the group to have access to Databricks Workspace.active- (Optional) Either service principal is active or not. True by default, but can be set to false in case of service principal deactivation with preserving service principal assets.force- (Optional) Ignorecannot create service principal: Service principal with application ID X already existserrors and implicitly import the specified service principal into Terraform state, enforcing entitlements defined in the instance of resource. This functionality is experimental and is designed to simplify corner cases, like Azure Active Directory synchronisation.force_delete_repos- (Optional) This flag determines whether the service principal's repo directory is deleted when the user is deleted. It will have no impact when in the accounts SCIM API. False by default.force_delete_home_dir- (Optional) This flag determines whether the service principal's home directory is deleted when the user is deleted. It will have no impact when in the accounts SCIM API. False by default.
In addition to all arguments above, the following attributes are exported:
id- Canonical unique identifier for the service principal.
home- Home folder of the service principal, e.g./Users/00000000-0000-0000-0000-000000000000.repos- Personal Repos location of the service principal, e.g./Repos/00000000-0000-0000-0000-000000000000.
The resource scim service principal can be imported using its id, for example 2345678901234567. To get the service principal ID, call Get service principals.
terraform import databricks_service_principal.me <service-principal-id>The following resources are often used in the same context:
- End to end workspace management guide.
- databricks_group to manage groups in Databricks Workspace or Account Console (for AWS deployments).
- databricks_group data to retrieve information about databricks_group members, entitlements and instance profiles.
- databricks_group_member to attach users and groups as group members.
- databricks_permissions to manage access control in Databricks workspace.
- databricks_sql_permissions to manage data object access control lists in Databricks workspaces for things like tables, views, databases, and [more](https://docs.databricks.