Docs Home
Databricks v1.65.0 published on Wednesday, Apr 9, 2025 by Pulumi
databricks.OboToken
Explore with Pulumi AI
This resource can only be used with a workspace-level provider!
This resource creates On-Behalf-Of tokens for a databricks.ServicePrincipal in Databricks workspaces on AWS and GCP. In general it’s best to use OAuth authentication using client ID and secret, and use this resource mostly for integrations that doesn’t support OAuth.
To create On-Behalf-Of token for Azure Service Principal, configure Pulumi provider to use Azure service principal’s client ID and secret, and use
databricks.Tokenresource to create a personal access token.
Example Usage
Creating a token for a narrowly-scoped service principal, that would be the only one (besides admins) allowed to use PAT token in this given workspace, keeping your automated deployment highly secure.
A given declaration of
databricks_permissions.token_usagewould OVERWRITE permissions to use PAT tokens from any existing groups with token usage permissions such as theusersgroup. To avoid this, be sure to include any desired groups in additionalaccess_controlblocks in the Pulumi configuration file.
import * as pulumi from "@pulumi/pulumi";
import * as databricks from "@pulumi/databricks";
const _this = new databricks.ServicePrincipal("this", {displayName: "Automation-only SP"});
const tokenUsage = new databricks.Permissions("token_usage", {
authorization: "tokens",
accessControls: [{
servicePrincipalName: _this.applicationId,
permissionLevel: "CAN_USE",
}],
});
const thisOboToken = new databricks.OboToken("this", {
applicationId: _this.applicationId,
comment: pulumi.interpolate`PAT on behalf of ${_this.displayName}`,
lifetimeSeconds: 3600,
}, {
dependsOn: [tokenUsage],
});
export const obo = thisOboToken.tokenValue;
import pulumi
import pulumi_databricks as databricks
this = databricks.ServicePrincipal("this", display_name="Automation-only SP")
token_usage = databricks.Permissions("token_usage",
authorization="tokens",
access_controls=[{
"service_principal_name": this.application_id,
"permission_level": "CAN_USE",
}])
this_obo_token = databricks.OboToken("this",
application_id=this.application_id,
comment=this.display_name.apply(lambda display_name: f"PAT on behalf of {display_name}"),
lifetime_seconds=3600,
opts = pulumi.ResourceOptions(depends_on=[token_usage]))
pulumi.export("obo", this_obo_token.token_value)
package main
import (
"fmt"
"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
this, err := databricks.NewServicePrincipal(ctx, "this", &databricks.ServicePrincipalArgs{
DisplayName: pulumi.String("Automation-only SP"),
})
if err != nil {
return err
}
tokenUsage, err := databricks.NewPermissions(ctx, "token_usage", &databricks.PermissionsArgs{
Authorization: pulumi.String("tokens"),
AccessControls: databricks.PermissionsAccessControlArray{
&databricks.PermissionsAccessControlArgs{
ServicePrincipalName: this.ApplicationId,
PermissionLevel: pulumi.String("CAN_USE"),
},
},
})
if err != nil {
return err
}
thisOboToken, err := databricks.NewOboToken(ctx, "this", &databricks.OboTokenArgs{
ApplicationId: this.ApplicationId,
Comment: this.DisplayName.ApplyT(func(displayName string) (string, error) {
return fmt.Sprintf("PAT on behalf of %v", displayName), nil
}).(pulumi.StringOutput),
LifetimeSeconds: pulumi.Int(3600),
}, pulumi.DependsOn([]pulumi.Resource{
tokenUsage,
}))
if err != nil {
return err
}
ctx.Export("obo", thisOboToken.TokenValue)
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Databricks = Pulumi.Databricks;
return await Deployment.RunAsync(() =>
{
var @this = new Databricks.ServicePrincipal("this", new()
{
DisplayName = "Automation-only SP",
});
var tokenUsage = new Databricks.Permissions("token_usage", new()
{
Authorization = "tokens",
AccessControls = new[]
{
new Databricks.Inputs.PermissionsAccessControlArgs
{
ServicePrincipalName = @this.ApplicationId,
PermissionLevel = "CAN_USE",
},
},
});
var thisOboToken = new Databricks.OboToken("this", new()
{
ApplicationId = @this.ApplicationId,
Comment = @this.DisplayName.Apply(displayName => $"PAT on behalf of {displayName}"),
LifetimeSeconds = 3600,
}, new CustomResourceOptions
{
DependsOn =
{
tokenUsage,
},
});
return new Dictionary<string, object?>
{
["obo"] = thisOboToken.TokenValue,
};
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.databricks.ServicePrincipal;
import com.pulumi.databricks.ServicePrincipalArgs;
import com.pulumi.databricks.Permissions;
import com.pulumi.databricks.PermissionsArgs;
import com.pulumi.databricks.inputs.PermissionsAccessControlArgs;
import com.pulumi.databricks.OboToken;
import com.pulumi.databricks.OboTokenArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var this_ = new ServicePrincipal("this", ServicePrincipalArgs.builder()
.displayName("Automation-only SP")
.build());
var tokenUsage = new Permissions("tokenUsage", PermissionsArgs.builder()
.authorization("tokens")
.accessControls(PermissionsAccessControlArgs.builder()
.servicePrincipalName(this_.applicationId())
.permissionLevel("CAN_USE")
.build())
.build());
var thisOboToken = new OboToken("thisOboToken", OboTokenArgs.builder()
.applicationId(this_.applicationId())
.comment(this_.displayName().applyValue(_displayName -> String.format("PAT on behalf of %s", _displayName)))
.lifetimeSeconds(3600)
.build(), CustomResourceOptions.builder()
.dependsOn(tokenUsage)
.build());
ctx.export("obo", thisOboToken.tokenValue());
}
}
resources:
this:
type: databricks:ServicePrincipal
properties:
displayName: Automation-only SP
tokenUsage:
type: databricks:Permissions
name: token_usage
properties:
authorization: tokens
accessControls:
- servicePrincipalName: ${this.applicationId}
permissionLevel: CAN_USE
thisOboToken:
type: databricks:OboToken
name: this
properties:
applicationId: ${this.applicationId}
comment: PAT on behalf of ${this.displayName}
lifetimeSeconds: 3600
options:
dependsOn:
- ${tokenUsage}
outputs:
obo: ${thisOboToken.tokenValue}
Creating a token for a service principal with admin privileges
import * as pulumi from "@pulumi/pulumi";
import * as databricks from "@pulumi/databricks";
const _this = new databricks.ServicePrincipal("this", {displayName: "Pulumi"});
const admins = databricks.getGroup({
displayName: "admins",
});
const thisGroupMember = new databricks.GroupMember("this", {
groupId: admins.then(admins => admins.id),
memberId: _this.id,
});
const thisOboToken = new databricks.OboToken("this", {
applicationId: _this.applicationId,
comment: pulumi.interpolate`PAT on behalf of ${_this.displayName}`,
lifetimeSeconds: 3600,
}, {
dependsOn: [thisGroupMember],
});
import pulumi
import pulumi_databricks as databricks
this = databricks.ServicePrincipal("this", display_name="Pulumi")
admins = databricks.get_group(display_name="admins")
this_group_member = databricks.GroupMember("this",
group_id=admins.id,
member_id=this.id)
this_obo_token = databricks.OboToken("this",
application_id=this.application_id,
comment=this.display_name.apply(lambda display_name: f"PAT on behalf of {display_name}"),
lifetime_seconds=3600,
opts = pulumi.ResourceOptions(depends_on=[this_group_member]))
package main
import (
"fmt"
"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
this, err := databricks.NewServicePrincipal(ctx, "this", &databricks.ServicePrincipalArgs{
DisplayName: pulumi.String("Pulumi"),
})
if err != nil {
return err
}
admins, err := databricks.LookupGroup(ctx, &databricks.LookupGroupArgs{
DisplayName: "admins",
}, nil)
if err != nil {
return err
}
thisGroupMember, err := databricks.NewGroupMember(ctx, "this", &databricks.GroupMemberArgs{
GroupId: pulumi.String(admins.Id),
MemberId: this.ID(),
})
if err != nil {
return err
}
_, err = databricks.NewOboToken(ctx, "this", &databricks.OboTokenArgs{
ApplicationId: this.ApplicationId,
Comment: this.DisplayName.ApplyT(func(displayName string) (string, error) {
return fmt.Sprintf("PAT on behalf of %v", displayName), nil
}).(pulumi.StringOutput),
LifetimeSeconds: pulumi.Int(3600),
}, pulumi.DependsOn([]pulumi.Resource{
thisGroupMember,
}))
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Databricks = Pulumi.Databricks;
return await Deployment.RunAsync(() =>
{
var @this = new Databricks.ServicePrincipal("this", new()
{
DisplayName = "Pulumi",
});
var admins = Databricks.GetGroup.Invoke(new()
{
DisplayName = "admins",
});
var thisGroupMember = new Databricks.GroupMember("this", new()
{
GroupId = admins.Apply(getGroupResult => getGroupResult.Id),
MemberId = @this.Id,
});
var thisOboToken = new Databricks.OboToken("this", new()
{
ApplicationId = @this.ApplicationId,
Comment = @this.DisplayName.Apply(displayName => $"PAT on behalf of {displayName}"),
LifetimeSeconds = 3600,
}, new CustomResourceOptions
{
DependsOn =
{
thisGroupMember,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.databricks.ServicePrincipal;
import com.pulumi.databricks.ServicePrincipalArgs;
import com.pulumi.databricks.DatabricksFunctions;
import com.pulumi.databricks.inputs.GetGroupArgs;
import com.pulumi.databricks.GroupMember;
import com.pulumi.databricks.GroupMemberArgs;
import com.pulumi.databricks.OboToken;
import com.pulumi.databricks.OboTokenArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var this_ = new ServicePrincipal("this", ServicePrincipalArgs.builder()
.displayName("Pulumi")
.build());
final var admins = DatabricksFunctions.getGroup(GetGroupArgs.builder()
.displayName("admins")
.build());
var thisGroupMember = new GroupMember("thisGroupMember", GroupMemberArgs.builder()
.groupId(admins.id())
.memberId(this_.id())
.build());
var thisOboToken = new OboToken("thisOboToken", OboTokenArgs.builder()
.applicationId(this_.applicationId())
.comment(this_.displayName().applyValue(_displayName -> String.format("PAT on behalf of %s", _displayName)))
.lifetimeSeconds(3600)
.build(), CustomResourceOptions.builder()
.dependsOn(thisGroupMember)
.build());
}
}
resources:
this:
type: databricks:ServicePrincipal
properties:
displayName: Pulumi
thisGroupMember:
type: databricks:GroupMember
name: this
properties:
groupId: ${admins.id}
memberId: ${this.id}
thisOboToken:
type: databricks:OboToken
name: this
properties:
applicationId: ${this.applicationId}
comment: PAT on behalf of ${this.displayName}
lifetimeSeconds: 3600
options:
dependsOn:
- ${thisGroupMember}
variables:
admins:
fn::invoke:
function: databricks:getGroup
arguments:
displayName: admins
Related Resources
The following resources are often used in the same context:
- End to end workspace management guide.
- databricks.Group data to retrieve information about databricks.Group members, entitlements and instance profiles.
- databricks.GroupMember to attach users and groups as group members.
- databricks.Permissions to manage access control in Databricks workspace.
- databricks.ServicePrincipal to manage Service Principals that could be added to databricks.Group within workspace.
- databricks.SqlPermissions to manage data object access control lists in Databricks workspaces for things like tables, views, databases, and more.
Create OboToken Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new OboToken(name: string, args: OboTokenArgs, opts?: CustomResourceOptions);@overload
def OboToken(resource_name: str,
args: OboTokenArgs,
opts: Optional[ResourceOptions] = None)
@overload
def OboToken(resource_name: str,
opts: Optional[ResourceOptions] = None,
application_id: Optional[str] = None,
comment: Optional[str] = None,
lifetime_seconds: Optional[int] = None)func NewOboToken(ctx *Context, name string, args OboTokenArgs, opts ...ResourceOption) (*OboToken, error)public OboToken(string name, OboTokenArgs args, CustomResourceOptions? opts = null)public OboToken(String name, OboTokenArgs args)
public OboToken(String name, OboTokenArgs args, CustomResourceOptions options)
type: databricks:OboToken
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name
This property is required. string - The unique name of the resource.
- args
This property is required. OboTokenArgs - The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name
This property is required. str - The unique name of the resource.
- args
This property is required. OboTokenArgs - The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name
This property is required. string - The unique name of the resource.
- args
This property is required. OboTokenArgs - The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name
This property is required. string - The unique name of the resource.
- args
This property is required. OboTokenArgs - The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name
This property is required. String - The unique name of the resource.
- args
This property is required. OboTokenArgs - The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var oboTokenResource = new Databricks.OboToken("oboTokenResource", new()
{
ApplicationId = "string",
Comment = "string",
LifetimeSeconds = 0,
});
example, err := databricks.NewOboToken(ctx, "oboTokenResource", &databricks.OboTokenArgs{
ApplicationId: pulumi.String("string"),
Comment: pulumi.String("string"),
LifetimeSeconds: pulumi.Int(0),
})
var oboTokenResource = new OboToken("oboTokenResource", OboTokenArgs.builder()
.applicationId("string")
.comment("string")
.lifetimeSeconds(0)
.build());
obo_token_resource = databricks.OboToken("oboTokenResource",
application_id="string",
comment="string",
lifetime_seconds=0)
const oboTokenResource = new databricks.OboToken("oboTokenResource", {
applicationId: "string",
comment: "string",
lifetimeSeconds: 0,
});
type: databricks:OboToken
properties:
applicationId: string
comment: string
lifetimeSeconds: 0
OboToken Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The OboToken resource accepts the following input properties:
- Application
Id stringThis property is required. 
Changes to this property will trigger replacement. - Application ID of databricks.ServicePrincipal to create a PAT token for.
- Comment
- Comment that describes the purpose of the token.
- Lifetime
Seconds - The number of seconds before the token expires. Token resource is re-created when it expires. If no lifetime is specified, the token remains valid indefinitely.
- Application
Id stringThis property is required. Changes to this property will trigger replacement. - Application ID of databricks.ServicePrincipal to create a PAT token for.
- Comment
- Comment that describes the purpose of the token.
- Lifetime
Seconds - The number of seconds before the token expires. Token resource is re-created when it expires. If no lifetime is specified, the token remains valid indefinitely.
- application
Id StringThis property is required. Changes to this property will trigger replacement. - Application ID of databricks.ServicePrincipal to create a PAT token for.
- comment
- Comment that describes the purpose of the token.
- lifetime
Seconds - The number of seconds before the token expires. Token resource is re-created when it expires. If no lifetime is specified, the token remains valid indefinitely.
- application
Id stringThis property is required. Changes to this property will trigger replacement. - Application ID of databricks.ServicePrincipal to create a PAT token for.
- comment
- Comment that describes the purpose of the token.
- lifetime
Seconds - The number of seconds before the token expires. Token resource is re-created when it expires. If no lifetime is specified, the token remains valid indefinitely.
- application_
id strThis property is required. Changes to this property will trigger replacement. - Application ID of databricks.ServicePrincipal to create a PAT token for.
- comment
- Comment that describes the purpose of the token.
- lifetime_
seconds - The number of seconds before the token expires. Token resource is re-created when it expires. If no lifetime is specified, the token remains valid indefinitely.
- application
Id StringThis property is required. Changes to this property will trigger replacement. - Application ID of databricks.ServicePrincipal to create a PAT token for.
- comment
- Comment that describes the purpose of the token.
- lifetime
Seconds - The number of seconds before the token expires. Token resource is re-created when it expires. If no lifetime is specified, the token remains valid indefinitely.
Outputs
All input properties are implicitly available as output properties. Additionally, the OboToken resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Token
Value string - Sensitive value of the newly-created token.
- Id string
- The provider-assigned unique ID for this managed resource.
- Token
Value string - Sensitive value of the newly-created token.
- id String
- The provider-assigned unique ID for this managed resource.
- token
Value String - Sensitive value of the newly-created token.
- id string
- The provider-assigned unique ID for this managed resource.
- token
Value string - Sensitive value of the newly-created token.
- id str
- The provider-assigned unique ID for this managed resource.
- token_
value str - Sensitive value of the newly-created token.
- id String
- The provider-assigned unique ID for this managed resource.
- token
Value String - Sensitive value of the newly-created token.
Look up Existing OboToken Resource
Get an existing OboToken resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: OboTokenState, opts?: CustomResourceOptions): OboToken@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
application_id: Optional[str] = None,
comment: Optional[str] = None,
lifetime_seconds: Optional[int] = None,
token_value: Optional[str] = None) -> OboTokenfunc GetOboToken(ctx *Context, name string, id IDInput, state *OboTokenState, opts ...ResourceOption) (*OboToken, error)public static OboToken Get(string name, Input<string> id, OboTokenState? state, CustomResourceOptions? opts = null)public static OboToken get(String name, Output<String> id, OboTokenState state, CustomResourceOptions options)resources: _: type: databricks:OboToken get: id: ${id}- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
The following state arguments are supported:
- Application
Id - Application ID of databricks.ServicePrincipal to create a PAT token for.
- Comment
- Comment that describes the purpose of the token.
- Lifetime
Seconds - The number of seconds before the token expires. Token resource is re-created when it expires. If no lifetime is specified, the token remains valid indefinitely.
- Token
Value string - Sensitive value of the newly-created token.
- Application
Id - Application ID of databricks.ServicePrincipal to create a PAT token for.
- Comment
- Comment that describes the purpose of the token.
- Lifetime
Seconds - The number of seconds before the token expires. Token resource is re-created when it expires. If no lifetime is specified, the token remains valid indefinitely.
- Token
Value string - Sensitive value of the newly-created token.
- application
Id - Application ID of databricks.ServicePrincipal to create a PAT token for.
- comment
- Comment that describes the purpose of the token.
- lifetime
Seconds - The number of seconds before the token expires. Token resource is re-created when it expires. If no lifetime is specified, the token remains valid indefinitely.
- token
Value String - Sensitive value of the newly-created token.
- application
Id - Application ID of databricks.ServicePrincipal to create a PAT token for.
- comment
- Comment that describes the purpose of the token.
- lifetime
Seconds - The number of seconds before the token expires. Token resource is re-created when it expires. If no lifetime is specified, the token remains valid indefinitely.
- token
Value string - Sensitive value of the newly-created token.
- application_
id - Application ID of databricks.ServicePrincipal to create a PAT token for.
- comment
- Comment that describes the purpose of the token.
- lifetime_
seconds - The number of seconds before the token expires. Token resource is re-created when it expires. If no lifetime is specified, the token remains valid indefinitely.
- token_
value str - Sensitive value of the newly-created token.
- application
Id - Application ID of databricks.ServicePrincipal to create a PAT token for.
- comment
- Comment that describes the purpose of the token.
- lifetime
Seconds - The number of seconds before the token expires. Token resource is re-created when it expires. If no lifetime is specified, the token remains valid indefinitely.
- token
Value String - Sensitive value of the newly-created token.
Import
!> Importing this resource is not currently supported.
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- databricks pulumi/pulumi-databricks
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
databricksTerraform Provider.