cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

Automatic Identity Management with Nested Groups and API Access

RikL
Databricks Partner

yesterday - last edited yesterday

Hi all,

Iā€™m exploring Automatic Identity Management for synchronizing nested groups in Azure Databricks. According to the documentation, this feature supports nested groups: Automatic Identity Management

However, the same article notes that groups synced this way cannot be managed via the API or Terraform: Nested Groups and Service Principals through API/Terraform

 

Iā€™m wondering: Is there any plan to allow API/terraform management for these automatically synced nested groups in the future?

My goal is to automatically sync child groups from a provisioned parent group and manage them immediately via the API, so that the provisioning step isnā€™t required every time a new child group is created.

 

If there are any workarounds or best practices to automate this workflow, Iā€™d love to hear them as well!

Thanks in advance,

Rik

Labels:
0 Kudos
2 REPLIES 2

emma_s
Databricks Employee
Databricks Employee

yesterday

Hi, I've just had a look internally and there is some discussion about making this functionality available but I can't give you a definitive idea of when this might be. 

In terms of workarounds the best one I can find is to use Tarracurl to make raw API calls to the IAMV2 APis. Code snippet below:

data "http" "resolve_group" {
  url    = "https://accounts.azuredatabricks.net/api/2.0/identity/accounts/${var.databricks_account_id}/groups/resolveByExternalId"
  method = "POST"

  request_headers = {
    Authorization = "Bearer ${var.databricks_token}"
    Content-Type  = "application/json"
  }

  request_body = jsonencode({
    external_id = var.group_external_id
    # include other fields if your IdP / endpoint requires them
  })
}

locals {
  resolved_group = jsondecode(data.http.resolve_group.response_body)
  # adjust to actual response schema:
  resolved_group_id = try(local.resolved_group.group.id, null)
}

You would need to get the individual Entra IDs of the subgroups, though, but I'd imagine you could use an Entra ID TF provider to do this and then pass these into the code above.

 

I hope this helps.


Thanks,

Emma

RikL
Databricks Partner
In response to emma_s

yesterday

Hi Emma,

Thanks for the quick response and great to hear that this topic is being discussed. The code snippet provides an interesting insight but does not quite cover what we are trying to do. Even though I included Terraform in the original post, our main focus is with API management . Ideally, subgroups of a provisioned parent group are automatically usable in e.g. bundles (within the 'grants' block) and show up when listing groups and querying the members of the provisioned parent group (currently an empty list is returned); preferably without the need of the external id altogether. If this is currently impossible, that is fine, of course. Then we will just provision them directly and keep an eye out for any future changes.

Best,

Rik

0 Kudos
Announcements