Create Databricks token for another user

Question

After deploying Databricks workspace I would like to add an application user and generate a token for it. Is there a way to have something like:

resource "databricks_service_principal" "app" {
  application_id = "01234567-89ab-cdef-0123-456789abcdef"
}

resource "databricks_token" "token" {
  service_principal_id = databricks_service_principal.app.application_id
  comment              = "A token"
}

Currently databricks_token doesn't support service_principal_id field, it only creates token for current user.

Answer 1

It depends on the cloud:

• On AWS there is support for so-called "on behalf of" (OBO) token - there is a dedicated resource for it: databricks_obo_token (doc).
• On Azure, you can create a separate provider instance to authenticate to Databricks using Service Principal authentication (doc) and generate token using that provider instance (although, frankly speaking, it's better always use AAD auth for service principals on Azure). Something like this:

# this will use "normal" provider instance 
resource "databricks_service_principal" "app" {
  application_id = "01234567-89ab-cdef-0123-456789abcdef"
}

# Provider instance for Service Principal
provider "databricks" {
  host                        = azurerm_databricks_workspace.this.workspace_url
  azure_workspace_resource_id = azurerm_databricks_workspace.this.id
  azure_client_id             = var.client_id
  azure_client_secret         = var.client_secret
  azure_tenant_id             = var.tenant_id
  alias = "spn"
}

resource "databricks_token" "token" {
  provider   = databricks.spn
  comment    = "A token"
  depends_on = [databricks_service_principal.app]
}