Reputation: 1000
Terraform Databricks Storage credential for an Access Connector with User Assigned managed identity
I have a databricks access connector, that I created for accessing external locations . The access connector created has a user defined managed identity (not a system assigned one).
Now when I try to create a storage credential in Terraform using that access connector, I get an error saying
cannot create storage credential: Azure Managed Identity Credential with Access Connector Id nameofcred could not be found
Using this:
resource "databricks_storage_credential" "storage_credential" {
name = "example_cred"
azure_managed_identity {
access_connector_id = <entered the resource id for the Access Connector for Azure Databricks>
}
comment = "Managed identity credential managed by TF"
}
And this is how my access connector looks like (configured with userAssigned Identity)
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"accessConnectors_ac_connector_rxample": {
"defaultValue": "example_name",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Databricks/accessConnectors",
"apiVersion": "2023-05-01",
"name": "[parameters('accessConnectors_ac_connector_example_name')]",
"location": "northeurope",
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"/subscriptions/xxxxxxxxxxxxx/resourceGroups/rg-example/providers/Microsoft.ManagedIdentity/userAssignedIdentities/userassignedminame": {}
}
},
"properties": {}
}
]
}
This is the terraform resource link (Azure is the cloud provider): here
Is User Assigned managed identity not supported?
I also tried with azure_service_principal block with directory_id and application_id, but it keeps failing because client_secret is a required property, and since this is a user defined managed identity, I can't create secrets (it is just listed as an SPN aka enterprise application in Azure AD).
Is this not supported?
From the GUI it is supported:
Upvotes: 0
Views: 2418
Answers (2)
Reputation: 2073
You should upgrade databrick provider to the lastest version and managed_identity_id into azure_managed_identity block.
Like this:
resource "databricks_storage_credential" "storage_credential" {
name = "example_cred"
azure_managed_identity {
access_connector_id = <entered the resource id for the Access Connector for Azure Databricks>
managed_identity_id = <resource id of Managed Identity>
}
comment = "Managed identity credential managed by TF"
}
Upvotes: 2
Reputation: 7820
I also tried with
azure_service_principalblock withdirectory_idandapplication_id, but it keeps failing becauseclient_secretis a required property, and since this is a user defined managedidentity, I can't create secrets (it is just listed as an SPN aka enterprise application in Azure AD).
User Assigned Managed Identities are not supported in Terraform for creating storage credentials.
Storage credential represents an authentication and authorization mechanism for accessing data stored on your cloud tenant, using either an Azure managed identity or a service principal. follow the Ms Doc about Storage credential.
Alternatively, you can create storage credentials using a service principal by following the steps below.
Create a service principal in the Azure portal and provide it access to your storage account.
- Create a client secret for the service principal and note down the
directory ID,application IDandClient Secretfor the service principal. - Log into your storage account and assign the service principal the Storage Blob Data Contributor role. Follow the instructions in the MS doc about
Data bricks storage credentialsusing service prinicipal
I created a Databricks storage credential using a service principal using Terraform code
provider "azurerm" {
features {}
}
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
}
databricks = {
source = "databricks/databricks"
}
}
}
# Use Databricks CLI authentication.
provider "databricks" {
profile = "DEFAULT"
host = "Databricks-URL"
}
resource "databricks_storage_credential" "storage_credential" {
name = "databricks-storage"
azure_service_principal {
application_id = ""
directory_id = ""
client_secret = ""
}
comment = "Service Principal credential managed by TF"
}
Terraform Plan:
Terraform Apply:
Upvotes: 0
Related Questions
- Azure Databricks Unity Catalog - Cannot access Managed Volume in notebook
- Is it possible to disable Databricks Managed Storage Account public access?
- Connecting Azure Synapse from Azure Databricks using User Assigned Managed Identity
- Problem in configuing databrick provider in terraform. (Azure Databricks)
- Getting Azure client/application id of system-assigned managed identity through Terraform
- Grant read access to a user assigned identity to a storage account with Azure
- How to import a managed service identity from a different subscription on terraform
- How to Terraform assignment of Azure User Managed Identity to a storage account?