https://community.databricks.com/t5/administration-architecture/terraforming-git-credentials-for-service-principals/m-p/120357#M3398 <P>You're a little bit ahead of me in this process, so I haven't tried the solution yet, but it looks like you create a git credential resource for the service principal.&nbsp; This requires a token, which I think must be generated in the console.&nbsp; My reference is&nbsp;<A href="https://learn.microsoft.com/en-us/azure/databricks/repos/automate-with-terraform" target="_blank">Terraform integration - Azure Databricks | Microsoft Learn</A>.</P> Tue, 27 May 2025 18:07:11 GMT Rjdudley 2025-05-27T18:07:11Z https://community.databricks.com/t5/administration-architecture/terraforming-git-credentials-for-service-principals/m-p/120011#M3394 <P>I am terraforming service principals in my Databricks workspace and it works great until I need to assign Git credentials to my SP. In the UI we have these options to configure credentials on service principal page:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vr_0-1747957962260.png" style="width: 400px;"><img src="https://community.databricks.com/t5/image/serverpage/image-id/17066i02EA4AB7D2A0513B/image-size/medium?v=v2&amp;px=400" role="button" title="vr_0-1747957962260.png" alt="vr_0-1747957962260.png" /></span></P><P data-unlink="true">However the <A href="https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/git_credential" target="_blank" rel="noopener">Terraform resource</A> I found seems to lack the critical piece – <EM>which service principal</EM> these credentials are for. Also <A href="https://docs.databricks.com/api/workspace/gitcredentials" target="_blank" rel="noopener">the API</A> it references&nbsp;<A href="https://docs.databricks.com/api/azure/workspace/gitcredentials/create" target="_blank" rel="noopener">says</A>&nbsp;that it sets the credentials for the <STRONG>calling user</STRONG>. So, I need to call this API on behalf of the created service principal? Weird. This is not how IaC should work.</P><P data-unlink="true">So... It looks like these capability is fundamentally missing in Databricks API? I cannot even create a feature request in Terraform project, because there is nothing to request. Is my understanding correct?</P><P data-unlink="true">Databricks, why is there no parity between UI and API?</P> Fri, 23 May 2025 00:07:02 GMT https://community.databricks.com/t5/administration-architecture/terraforming-git-credentials-for-service-principals/m-p/120011#M3394 vr 2025-05-23T00:07:02Z https://community.databricks.com/t5/administration-architecture/terraforming-git-credentials-for-service-principals/m-p/120357#M3398 <P>You're a little bit ahead of me in this process, so I haven't tried the solution yet, but it looks like you create a git credential resource for the service principal.&nbsp; This requires a token, which I think must be generated in the console.&nbsp; My reference is&nbsp;<A href="https://learn.microsoft.com/en-us/azure/databricks/repos/automate-with-terraform" target="_blank">Terraform integration - Azure Databricks | Microsoft Learn</A>.</P> Tue, 27 May 2025 18:07:11 GMT https://community.databricks.com/t5/administration-architecture/terraforming-git-credentials-for-service-principals/m-p/120357#M3398 Rjdudley 2025-05-27T18:07:11Z https://community.databricks.com/t5/administration-architecture/terraforming-git-credentials-for-service-principals/m-p/120363#M3400 <P>So this method seems like defines a whole TF provider to use it as context? Isn't it strange? With infrastructure-as-code, you usually have a single (superuser) identity under which the provider works and which is capable of creating any objects, including other identities.</P><P>I expect it to work in this paradigm, because my actual IaC layer is Crossplane, which is Terraform-based, but I don't have all capabilities of Terraform. In particular, a Crossplane equivalent of a provider would be provider configuration, which is defined statically in the cluster. I cannot create a provider configuration "on the fly" (or maybe I don't know how to do that).</P> Tue, 27 May 2025 18:55:40 GMT https://community.databricks.com/t5/administration-architecture/terraforming-git-credentials-for-service-principals/m-p/120363#M3400 rv1 2025-05-27T18:55:40Z https://community.databricks.com/t5/administration-architecture/terraforming-git-credentials-for-service-principals/m-p/120466#M3408 <P>No, the module created here is for the service principal which needs to be configured, not the context Terraform runs under.</P> Wed, 28 May 2025 19:13:40 GMT https://community.databricks.com/t5/administration-architecture/terraforming-git-credentials-for-service-principals/m-p/120466#M3408 Rjdudley 2025-05-28T19:13:40Z https://community.databricks.com/t5/administration-architecture/terraforming-git-credentials-for-service-principals/m-p/120480#M3409 <P>Yeah, that's what I mean, thanks for confirming.</P><P>I expect, that, if I am able to create the service principal under the main Terraform identity, I should be able to configure its parameters as well (workspace privileges, secrets, Git configuration, etc). So if I need to run Terraform under the identity of the created SP, then what's the point? it's not quite the IaC I need.</P> Wed, 28 May 2025 21:57:48 GMT https://community.databricks.com/t5/administration-architecture/terraforming-git-credentials-for-service-principals/m-p/120480#M3409 vr 2025-05-28T21:57:48Z