credentials
Creates, updates, deletes, gets or lists a credentials resource.
Overview
| Name | credentials |
| Type | Resource |
| Id | databricks_account.catalog.credentials |
Fields
The following fields are returned by SELECT queries:
- get_credential
- list_credentials
| Name | Datatype | Description |
|---|---|---|
id | string | The unique identifier of the credential. |
name | string | The credential name. The name must be unique among storage and service credentials within the metastore. |
metastore_id | string | Unique identifier of the parent metastore. |
full_name | string | The full name of the credential. |
aws_iam_role | object | The AWS IAM role configuration |
azure_managed_identity | object | The Azure managed identity configuration. |
azure_service_principal | object | The Azure service principal configuration. |
comment | string | Comment associated with the credential. |
created_at | integer | Time at which this credential was created, in epoch milliseconds. |
created_by | string | Username of credential creator. |
databricks_gcp_service_account | object | The Databricks managed GCP service account configuration. |
isolation_mode | string | Whether the current securable is accessible from all workspaces or a specific set of workspaces. (ISOLATION_MODE_ISOLATED, ISOLATION_MODE_OPEN) |
owner | string | Username of current owner of credential. |
purpose | string | Indicates the purpose of the credential. (SERVICE, STORAGE) |
read_only | boolean | Whether the credential is usable only for read operations. Only applicable when purpose is **STORAGE**. |
updated_at | integer | Time at which this credential was last modified, in epoch milliseconds. |
updated_by | string | Username of user who last modified the credential. |
used_for_managed_storage | boolean | Whether this credential is the current metastore's root storage credential. Only applicable when purpose is **STORAGE**. |
| Name | Datatype | Description |
|---|---|---|
id | string | The unique identifier of the credential. |
name | string | The credential name. The name must be unique among storage and service credentials within the metastore. |
metastore_id | string | Unique identifier of the parent metastore. |
full_name | string | The full name of the credential. |
aws_iam_role | object | The AWS IAM role configuration |
azure_managed_identity | object | The Azure managed identity configuration. |
azure_service_principal | object | The Azure service principal configuration. |
comment | string | Comment associated with the credential. |
created_at | integer | Time at which this credential was created, in epoch milliseconds. |
created_by | string | Username of credential creator. |
databricks_gcp_service_account | object | The Databricks managed GCP service account configuration. |
isolation_mode | string | Whether the current securable is accessible from all workspaces or a specific set of workspaces. (ISOLATION_MODE_ISOLATED, ISOLATION_MODE_OPEN) |
owner | string | Username of current owner of credential. |
purpose | string | Indicates the purpose of the credential. (SERVICE, STORAGE) |
read_only | boolean | Whether the credential is usable only for read operations. Only applicable when purpose is **STORAGE**. |
updated_at | integer | Time at which this credential was last modified, in epoch milliseconds. |
updated_by | string | Username of user who last modified the credential. |
used_for_managed_storage | boolean | Whether this credential is the current metastore's root storage credential. Only applicable when purpose is **STORAGE**. |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
get_credential | select | name_arg | Gets a service or storage credential from the metastore. The caller must be a metastore admin, the | |
list_credentials | select | include_unbound, max_results, page_token, purpose | Gets an array of credentials (as CredentialInfo objects). | |
create_credential | insert | name | Creates a new credential. The type of credential to be created is determined by the purpose field, | |
credentials_generate_temporary_service_credential | insert | credential_name | Returns a set of temporary credentials generated using the specified service credential. The caller | |
credentials_validate_credential | insert | Validates a credential. | ||
update_credential | update | name_arg | Updates a service or storage credential on the metastore. | |
delete_credential | delete | name_arg | force | Deletes a service or storage credential from the metastore. The caller must be an owner of the |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
name_arg | string | Name of the credential. |
force | boolean | Force an update even if there are dependent services (when purpose is SERVICE) or dependent external locations and external tables (when purpose is STORAGE). |
include_unbound | boolean | Whether to include credentials not bound to the workspace. Effective only if the user has permission to update the credential–workspace binding. |
max_results | integer | Maximum number of credentials to return. - If not set, the default max page size is used. - When set to a value greater than 0, the page length is the minimum of this value and a server-configured value. - When set to 0, the page length is set to a server-configured value (recommended). - When set to a value less than 0, an invalid parameter error is returned. |
page_token | string | Opaque token to retrieve the next page of results. |
purpose | string | Return only credentials for the specified purpose. |
SELECT examples
- get_credential
- list_credentials
Gets a service or storage credential from the metastore. The caller must be a metastore admin, the
SELECT
id,
name,
metastore_id,
full_name,
aws_iam_role,
azure_managed_identity,
azure_service_principal,
comment,
created_at,
created_by,
databricks_gcp_service_account,
isolation_mode,
owner,
purpose,
read_only,
updated_at,
updated_by,
used_for_managed_storage
FROM databricks_account.catalog.credentials
WHERE name_arg = '{{ name_arg }}' -- required
;
Gets an array of credentials (as CredentialInfo objects).
SELECT
id,
name,
metastore_id,
full_name,
aws_iam_role,
azure_managed_identity,
azure_service_principal,
comment,
created_at,
created_by,
databricks_gcp_service_account,
isolation_mode,
owner,
purpose,
read_only,
updated_at,
updated_by,
used_for_managed_storage
FROM databricks_account.catalog.credentials
WHERE include_unbound = '{{ include_unbound }}'
AND max_results = '{{ max_results }}'
AND page_token = '{{ page_token }}'
AND purpose = '{{ purpose }}'
;
INSERT examples
- create_credential
- credentials_generate_temporary_service_credential
- credentials_validate_credential
- Manifest
Creates a new credential. The type of credential to be created is determined by the purpose field,
INSERT INTO databricks_account.catalog.credentials (
name,
aws_iam_role,
azure_managed_identity,
azure_service_principal,
comment,
databricks_gcp_service_account,
purpose,
read_only,
skip_validation
)
SELECT
'{{ name }}' /* required */,
'{{ aws_iam_role }}',
'{{ azure_managed_identity }}',
'{{ azure_service_principal }}',
'{{ comment }}',
'{{ databricks_gcp_service_account }}',
'{{ purpose }}',
{{ read_only }},
{{ skip_validation }}
RETURNING
id,
name,
metastore_id,
full_name,
aws_iam_role,
azure_managed_identity,
azure_service_principal,
comment,
created_at,
created_by,
databricks_gcp_service_account,
isolation_mode,
owner,
purpose,
read_only,
updated_at,
updated_by,
used_for_managed_storage
;
Returns a set of temporary credentials generated using the specified service credential. The caller
INSERT INTO databricks_account.catalog.credentials (
credential_name,
azure_options,
gcp_options
)
SELECT
'{{ credential_name }}' /* required */,
'{{ azure_options }}',
'{{ gcp_options }}'
RETURNING
aws_temp_credentials,
azure_aad,
expiration_time,
gcp_oauth_token
;
Validates a credential.
INSERT INTO databricks_account.catalog.credentials (
aws_iam_role,
azure_managed_identity,
credential_name,
databricks_gcp_service_account,
external_location_name,
purpose,
read_only,
url
)
SELECT
'{{ aws_iam_role }}',
'{{ azure_managed_identity }}',
'{{ credential_name }}',
'{{ databricks_gcp_service_account }}',
'{{ external_location_name }}',
'{{ purpose }}',
{{ read_only }},
'{{ url }}'
RETURNING
isDir,
results
;
# Description fields are for documentation purposes
- name: credentials
props:
- name: name
value: "{{ name }}"
description: |
The credential name. The name must be unique among storage and service credentials within the metastore.
- name: aws_iam_role
description: |
:param azure_managed_identity: :class:`AzureManagedIdentity` (optional)
value:
external_id: "{{ external_id }}"
role_arn: "{{ role_arn }}"
unity_catalog_iam_arn: "{{ unity_catalog_iam_arn }}"
- name: azure_managed_identity
description: |
The Azure managed identity configuration.
value:
access_connector_id: "{{ access_connector_id }}"
credential_id: "{{ credential_id }}"
managed_identity_id: "{{ managed_identity_id }}"
- name: azure_service_principal
description: |
The Azure service principal configuration.
value:
directory_id: "{{ directory_id }}"
application_id: "{{ application_id }}"
client_secret: "{{ client_secret }}"
- name: comment
value: "{{ comment }}"
description: |
Comment associated with the credential.
- name: databricks_gcp_service_account
description: |
:param external_location_name: str (optional) The name of an existing external location to validate. Only applicable for storage credentials (purpose is **STORAGE**.)
value:
credential_id: "{{ credential_id }}"
email: "{{ email }}"
private_key_id: "{{ private_key_id }}"
- name: purpose
value: "{{ purpose }}"
description: |
The purpose of the credential. This should only be used when the credential is specified.
- name: read_only
value: {{ read_only }}
description: |
Whether the credential is only usable for read operations. Only applicable for storage credentials (purpose is **STORAGE**.)
- name: skip_validation
value: {{ skip_validation }}
description: |
Optional. Supplying true to this argument skips validation of the created set of credentials.
- name: credential_name
value: "{{ credential_name }}"
description: |
Required. The name of an existing credential or long-lived cloud credential to validate.
- name: azure_options
description: |
:param gcp_options: :class:`GenerateTemporaryServiceCredentialGcpOptions` (optional)
value:
resources:
- "{{ resources }}"
- name: gcp_options
description: |
The GCP cloud options to customize the requested temporary credential
value:
scopes:
- "{{ scopes }}"
- name: external_location_name
value: "{{ external_location_name }}"
- name: url
value: "{{ url }}"
description: |
The external location url to validate. Only applicable when purpose is **STORAGE**.
UPDATE examples
- update_credential
Updates a service or storage credential on the metastore.
UPDATE databricks_account.catalog.credentials
SET
aws_iam_role = '{{ aws_iam_role }}',
azure_managed_identity = '{{ azure_managed_identity }}',
azure_service_principal = '{{ azure_service_principal }}',
comment = '{{ comment }}',
databricks_gcp_service_account = '{{ databricks_gcp_service_account }}',
force = {{ force }},
isolation_mode = '{{ isolation_mode }}',
new_name = '{{ new_name }}',
owner = '{{ owner }}',
read_only = {{ read_only }},
skip_validation = {{ skip_validation }}
WHERE
name_arg = '{{ name_arg }}' --required
RETURNING
id,
name,
metastore_id,
full_name,
aws_iam_role,
azure_managed_identity,
azure_service_principal,
comment,
created_at,
created_by,
databricks_gcp_service_account,
isolation_mode,
owner,
purpose,
read_only,
updated_at,
updated_by,
used_for_managed_storage;
DELETE examples
- delete_credential
Deletes a service or storage credential from the metastore. The caller must be an owner of the
DELETE FROM databricks_account.catalog.credentials
WHERE name_arg = '{{ name_arg }}' --required
AND force = '{{ force }}'
;