databricks_service_principal Resource

Directly manage Service Principals that could be added to databricks_group in Databricks account or workspace.

There are different types of service principals:

To create service principals in the Databricks account, the provider must be configured with host = "https://accounts.cloud.databricks.com" on AWS deployments or host = "https://accounts.azuredatabricks.net" and authenticate using the supported authentication method for account operations.

The default behavior when deleting a databricks_service_principal resource depends on whether the provider is configured at the workspace-level or account-level. When the provider is configured at the workspace-level, the service principal will be deleted from the workspace. When the provider is configured at the account-level, the service principal will be deactivated but not deleted. When the provider is configured at the account level, to delete the service principal from the account when the resource is deleted, set disable_as_user_deletion = false. Conversely, when the provider is configured at the account-level, to deactivate the service principal when the resource is deleted, set disable_as_user_deletion = true.

Example Usage

Creating regular Databricks-managed service principal:

resource "databricks_service_principal" "sp" {
  display_name = "Admin SP"
}

Creating service principal with administrative permissions - referencing special admins databricks_group in databricks_group_member resource:

data "databricks_group" "admins" {
  display_name = "admins"
}

resource "databricks_service_principal" "sp" {
  display_name = "Admin SP"
}

resource "databricks_group_member" "i-am-admin" {
  group_id  = data.databricks_group.admins.id
  member_id = databricks_service_principal.sp.id
}

Creating Azure-managed service principal with cluster create permissions:

resource "databricks_service_principal" "sp" {
  application_id       = "00000000-0000-0000-0000-000000000000"
  display_name         = "Example service principal"
  allow_cluster_create = true
}

Creating Databricks-managed service principal in AWS Databricks account:

// initialize provider at account-level
provider "databricks" {
  alias         = "account"
  host          = "https://accounts.cloud.databricks.com"
  account_id    = "00000000-0000-0000-0000-000000000000"
  client_id     = var.client_id
  client_secret = var.client_secret
}

resource "databricks_service_principal" "sp" {
  provider     = databricks.account
  display_name = "Automation-only SP"
}

Creating Azure-managed service principal in Azure Databricks account:

// initialize provider at Azure account-level
provider "databricks" {
  alias      = "account"
  host       = "https://accounts.azuredatabricks.net"
  account_id = "00000000-0000-0000-0000-000000000000"
  auth_type  = "azure-cli"
}

resource "databricks_service_principal" "sp" {
  provider       = databricks.account
  application_id = "00000000-0000-0000-0000-000000000000"
}

Argument Reference

The following arguments are available:

Attribute Reference

In addition to all arguments above, the following attributes are exported:

Import

The resource scim service principal can be imported using its id, for example 2345678901234567. To get the service principal ID, call Get service principals.

terraform import databricks_service_principal.me <service-principal-id>

The following resources are often used in the same context: