w.credentials: Credentials

class databricks.sdk.service.catalog.CredentialsAPI

A credential represents an authentication and authorization mechanism for accessing services on your cloud tenant. Each credential is subject to Unity Catalog access-control policies that control which users and groups can access the credential.

To create credentials, you must be a Databricks account admin or have the CREATE SERVICE CREDENTIAL privilege. The user who creates the credential can delegate ownership to another user or group to manage permissions on it.

create_credential(name: str [, aws_iam_role: Optional[AwsIamRole], azure_managed_identity: Optional[AzureManagedIdentity], azure_service_principal: Optional[AzureServicePrincipal], comment: Optional[str], databricks_gcp_service_account: Optional[DatabricksGcpServiceAccount], purpose: Optional[CredentialPurpose], read_only: Optional[bool], skip_validation: Optional[bool]]) CredentialInfo

Creates a new credential. The type of credential to be created is determined by the purpose field, which should be either SERVICE or STORAGE.

The caller must be a metastore admin or have the metastore privilege CREATE_STORAGE_CREDENTIAL for storage credentials, or CREATE_SERVICE_CREDENTIAL for service credentials.

Parameters:
  • name – str The credential name. The name must be unique among storage and service credentials within the metastore.

  • aws_iam_roleAwsIamRole (optional) The AWS IAM role configuration.

  • azure_managed_identityAzureManagedIdentity (optional) The Azure managed identity configuration.

  • azure_service_principalAzureServicePrincipal (optional) The Azure service principal configuration.

  • comment – str (optional) Comment associated with the credential.

  • databricks_gcp_service_accountDatabricksGcpServiceAccount (optional) The Databricks managed GCP service account configuration.

  • purposeCredentialPurpose (optional) Indicates the purpose of the credential.

  • read_only – bool (optional) Whether the credential is usable only for read operations. Only applicable when purpose is STORAGE.

  • skip_validation – bool (optional) Optional. Supplying true to this argument skips validation of the created set of credentials.

Returns:

CredentialInfo

delete_credential(name_arg: str [, force: Optional[bool]])

Deletes a service or storage credential from the metastore. The caller must be an owner of the credential.

Parameters:
  • name_arg – str Name of the credential.

  • force – bool (optional) Force an update even if there are dependent services (when purpose is SERVICE) or dependent external locations and external tables (when purpose is STORAGE).

generate_temporary_service_credential(credential_name: str [, azure_options: Optional[GenerateTemporaryServiceCredentialAzureOptions], gcp_options: Optional[GenerateTemporaryServiceCredentialGcpOptions]]) TemporaryCredentials

Returns a set of temporary credentials generated using the specified service credential. The caller must be a metastore admin or have the metastore privilege ACCESS on the service credential.

Parameters:
Returns:

TemporaryCredentials

get_credential(name_arg: str) CredentialInfo

Gets a service or storage credential from the metastore. The caller must be a metastore admin, the owner of the credential, or have any permission on the credential.

Parameters:

name_arg – str Name of the credential.

Returns:

CredentialInfo

list_credentials([, include_unbound: Optional[bool], max_results: Optional[int], page_token: Optional[str], purpose: Optional[CredentialPurpose]]) Iterator[CredentialInfo]

Gets an array of credentials (as CredentialInfo objects).

The array is limited to only the credentials that the caller has permission to access. If the caller is a metastore admin, retrieval of credentials is unrestricted. There is no guarantee of a specific ordering of the elements in the array.

PAGINATION BEHAVIOR: The API is by default paginated, a page may contain zero results while still providing a next_page_token. Clients must continue reading pages until next_page_token is absent, which is the only indication that the end of results has been reached.

Parameters:
  • include_unbound – bool (optional) Whether to include credentials not bound to the workspace. Effective only if the user has permission to update the credential–workspace binding.

  • max_results

    int (optional) Maximum number of credentials to return.

    • If not set, the default max page size is used.

    • When set to a value greater than 0, the page length is the minimum of this value and a server-configured value.

    • When set to 0, the page length is set to a server-configured value (recommended).

    • When set to a value less than 0, an invalid parameter error is returned.

  • page_token – str (optional) Opaque token to retrieve the next page of results.

  • purposeCredentialPurpose (optional) Return only credentials for the specified purpose.

Returns:

Iterator over CredentialInfo

update_credential(name_arg: str [, aws_iam_role: Optional[AwsIamRole], azure_managed_identity: Optional[AzureManagedIdentity], azure_service_principal: Optional[AzureServicePrincipal], comment: Optional[str], databricks_gcp_service_account: Optional[DatabricksGcpServiceAccount], force: Optional[bool], isolation_mode: Optional[IsolationMode], new_name: Optional[str], owner: Optional[str], read_only: Optional[bool], skip_validation: Optional[bool]]) CredentialInfo

Updates a service or storage credential on the metastore.

The caller must be the owner of the credential or a metastore admin or have the MANAGE permission. If the caller is a metastore admin, only the owner field can be changed.

Parameters:
  • name_arg – str Name of the credential.

  • aws_iam_roleAwsIamRole (optional) The AWS IAM role configuration.

  • azure_managed_identityAzureManagedIdentity (optional) The Azure managed identity configuration.

  • azure_service_principalAzureServicePrincipal (optional) The Azure service principal configuration.

  • comment – str (optional) Comment associated with the credential.

  • databricks_gcp_service_accountDatabricksGcpServiceAccount (optional) The Databricks managed GCP service account configuration.

  • force – bool (optional) Force an update even if there are dependent services (when purpose is SERVICE) or dependent external locations and external tables (when purpose is STORAGE).

  • isolation_modeIsolationMode (optional) Whether the current securable is accessible from all workspaces or a specific set of workspaces.

  • new_name – str (optional) New name of credential.

  • owner – str (optional) Username of current owner of credential.

  • read_only – bool (optional) Whether the credential is usable only for read operations. Only applicable when purpose is STORAGE.

  • skip_validation – bool (optional) Supply true to this argument to skip validation of the updated credential.

Returns:

CredentialInfo

validate_credential([, aws_iam_role: Optional[AwsIamRole], azure_managed_identity: Optional[AzureManagedIdentity], credential_name: Optional[str], databricks_gcp_service_account: Optional[DatabricksGcpServiceAccount], external_location_name: Optional[str], purpose: Optional[CredentialPurpose], read_only: Optional[bool], url: Optional[str]]) ValidateCredentialResponse

Validates a credential.

For service credentials (purpose is SERVICE), either the credential_name or the cloud-specific credential must be provided.

For storage credentials (purpose is STORAGE), at least one of external_location_name and url need to be provided. If only one of them is provided, it will be used for validation. And if both are provided, the url will be used for validation, and external_location_name will be ignored when checking overlapping urls. Either the credential_name or the cloud-specific credential must be provided.

The caller must be a metastore admin or the credential owner or have the required permission on the metastore and the credential (e.g., CREATE_EXTERNAL_LOCATION when purpose is STORAGE).

Parameters:
  • aws_iam_roleAwsIamRole (optional)

  • azure_managed_identityAzureManagedIdentity (optional)

  • credential_name – str (optional) Required. The name of an existing credential or long-lived cloud credential to validate.

  • databricks_gcp_service_accountDatabricksGcpServiceAccount (optional)

  • external_location_name – str (optional) The name of an existing external location to validate. Only applicable for storage credentials (purpose is STORAGE.)

  • purposeCredentialPurpose (optional) The purpose of the credential. This should only be used when the credential is specified.

  • read_only – bool (optional) Whether the credential is only usable for read operations. Only applicable for storage credentials (purpose is STORAGE.)

  • url – str (optional) The external location url to validate. Only applicable when purpose is STORAGE.

Returns:

ValidateCredentialResponse