cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Terraforming Git credentials for service principals

vr
Contributor III

‎05-22-2025 05:07 PM

I am terraforming service principals in my Databricks workspace and it works great until I need to assign Git credentials to my SP. In the UI we have these options to configure credentials on service principal page:

vr_0-1747957962260.png

However the Terraform resource I found seems to lack the critical piece – which service principal these credentials are for. Also the API it references says that it sets the credentials for the calling user. So, I need to call this API on behalf of the created service principal? Weird. This is not how IaC should work.

So... It looks like these capability is fundamentally missing in Databricks API? I cannot even create a feature request in Terraform project, because there is nothing to request. Is my understanding correct?

Databricks, why is there no parity between UI and API?

0 Kudos
4 REPLIES 4

Rjdudley
Honored Contributor

4 weeks ago

You're a little bit ahead of me in this process, so I haven't tried the solution yet, but it looks like you create a git credential resource for the service principal.  This requires a token, which I think must be generated in the console.  My reference is Terraform integration - Azure Databricks | Microsoft Learn.

0 Kudos

rv1
New Contributor II
In response to Rjdudley

4 weeks ago

So this method seems like defines a whole TF provider to use it as context? Isn't it strange? With infrastructure-as-code, you usually have a single (superuser) identity under which the provider works and which is capable of creating any objects, including other identities.

I expect it to work in this paradigm, because my actual IaC layer is Crossplane, which is Terraform-based, but I don't have all capabilities of Terraform. In particular, a Crossplane equivalent of a provider would be provider configuration, which is defined statically in the cluster. I cannot create a provider configuration "on the fly" (or maybe I don't know how to do that).

0 Kudos

Rjdudley
Honored Contributor
In response to rv1

4 weeks ago

No, the module created here is for the service principal which needs to be configured, not the context Terraform runs under.

0 Kudos

vr
Contributor III
In response to Rjdudley

4 weeks ago - last edited 4 weeks ago

Yeah, that's what I mean, thanks for confirming.

I expect, that, if I am able to create the service principal under the main Terraform identity, I should be able to configure its parameters as well (workspace privileges, secrets, Git configuration, etc). So if I need to run Terraform under the identity of the created SP, then what's the point? it's not quite the IaC I need.

0 Kudos

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local community—sign up today to get started!

Sign Up Now
Announcements