w.credentials: Credentials

class databricks.sdk.service.catalog.CredentialsAPI

A credential represents an authentication and authorization mechanism for accessing services on your cloud tenant. Each credential is subject to Unity Catalog access-control policies that control which users and groups can access the credential.

To create credentials, you must be a Databricks account admin or have the CREATE SERVICE CREDENTIAL privilege. The user who creates the credential can delegate ownership to another user or group to manage permissions on it.

create_credential(name: str [, aws_iam_role: Optional[AwsIamRole], azure_managed_identity: Optional[AzureManagedIdentity], azure_service_principal: Optional[AzureServicePrincipal], comment: Optional[str], databricks_gcp_service_account: Optional[DatabricksGcpServiceAccount], purpose: Optional[CredentialPurpose], read_only: Optional[bool], skip_validation: Optional[bool]]) CredentialInfo

Create a credential.

Creates a new credential. The type of credential to be created is determined by the purpose field, which should be either SERVICE or STORAGE.

The caller must be a metastore admin or have the metastore privilege CREATE_STORAGE_CREDENTIAL for storage credentials, or CREATE_SERVICE_CREDENTIAL for service credentials.

Parameters:

  • name – str The credential name. The name must be unique among storage and service credentials within the metastore.

  • aws_iam_roleAwsIamRole (optional) The AWS IAM role configuration

  • azure_managed_identityAzureManagedIdentity (optional) The Azure managed identity configuration.

  • azure_service_principalAzureServicePrincipal (optional) The Azure service principal configuration. Only applicable when purpose is STORAGE.

  • comment – str (optional) Comment associated with the credential.

  • databricks_gcp_service_accountDatabricksGcpServiceAccount (optional) GCP long-lived credential. Databricks-created Google Cloud Storage service account.

  • purposeCredentialPurpose (optional) Indicates the purpose of the credential.

  • read_only – bool (optional) Whether the credential is usable only for read operations. Only applicable when purpose is STORAGE.

  • skip_validation – bool (optional) Optional. Supplying true to this argument skips validation of the created set of credentials.

Returns:

CredentialInfo

delete_credential(name_arg: str [, force: Optional[bool]])

Delete a credential.

Deletes a service or storage credential from the metastore. The caller must be an owner of the credential.

Parameters:

  • name_arg – str Name of the credential.

  • force – bool (optional) Force an update even if there are dependent services (when purpose is SERVICE) or dependent external locations and external tables (when purpose is STORAGE).

generate_temporary_service_credential(credential_name: str [, azure_options: Optional[GenerateTemporaryServiceCredentialAzureOptions], gcp_options: Optional[GenerateTemporaryServiceCredentialGcpOptions]]) TemporaryCredentials

Generate a temporary service credential.

Returns a set of temporary credentials generated using the specified service credential. The caller must be a metastore admin or have the metastore privilege ACCESS on the service credential.

Parameters:
Returns:

TemporaryCredentials

get_credential(name_arg: str) CredentialInfo

Get a credential.

Gets a service or storage credential from the metastore. The caller must be a metastore admin, the owner of the credential, or have any permission on the credential.

Parameters:

name_arg – str Name of the credential.

Returns:

CredentialInfo

list_credentials([, max_results: Optional[int], page_token: Optional[str], purpose: Optional[CredentialPurpose]]) Iterator[CredentialInfo]

List credentials.

Gets an array of credentials (as __CredentialInfo__ objects).

The array is limited to only the credentials that the caller has permission to access. If the caller is a metastore admin, retrieval of credentials is unrestricted. There is no guarantee of a specific ordering of the elements in the array.

Parameters:

  • max_results – int (optional) Maximum number of credentials to return. - If not set, the default max page size is used. - When set to a value greater than 0, the page length is the minimum of this value and a server-configured value. - When set to 0, the page length is set to a server-configured value (recommended). - When set to a value less than 0, an invalid parameter error is returned.

  • page_token – str (optional) Opaque token to retrieve the next page of results.

  • purposeCredentialPurpose (optional) Return only credentials for the specified purpose.

Returns:

Iterator over CredentialInfo

update_credential(name_arg: str [, aws_iam_role: Optional[AwsIamRole], azure_managed_identity: Optional[AzureManagedIdentity], azure_service_principal: Optional[AzureServicePrincipal], comment: Optional[str], databricks_gcp_service_account: Optional[DatabricksGcpServiceAccount], force: Optional[bool], isolation_mode: Optional[IsolationMode], new_name: Optional[str], owner: Optional[str], read_only: Optional[bool], skip_validation: Optional[bool]]) CredentialInfo

Update a credential.

Updates a service or storage credential on the metastore.

The caller must be the owner of the credential or a metastore admin or have the MANAGE permission. If the caller is a metastore admin, only the __owner__ field can be changed.

Parameters:

  • name_arg – str Name of the credential.

  • aws_iam_roleAwsIamRole (optional) The AWS IAM role configuration

  • azure_managed_identityAzureManagedIdentity (optional) The Azure managed identity configuration.

  • azure_service_principalAzureServicePrincipal (optional) The Azure service principal configuration. Only applicable when purpose is STORAGE.

  • comment – str (optional) Comment associated with the credential.

  • databricks_gcp_service_accountDatabricksGcpServiceAccount (optional) GCP long-lived credential. Databricks-created Google Cloud Storage service account.

  • force – bool (optional) Force an update even if there are dependent services (when purpose is SERVICE) or dependent external locations and external tables (when purpose is STORAGE).

  • isolation_modeIsolationMode (optional) Whether the current securable is accessible from all workspaces or a specific set of workspaces.

  • new_name – str (optional) New name of credential.

  • owner – str (optional) Username of current owner of credential.

  • read_only – bool (optional) Whether the credential is usable only for read operations. Only applicable when purpose is STORAGE.

  • skip_validation – bool (optional) Supply true to this argument to skip validation of the updated credential.

Returns:

CredentialInfo

validate_credential([, aws_iam_role: Optional[AwsIamRole], azure_managed_identity: Optional[AzureManagedIdentity], credential_name: Optional[str], databricks_gcp_service_account: Optional[DatabricksGcpServiceAccount], external_location_name: Optional[str], purpose: Optional[CredentialPurpose], read_only: Optional[bool], url: Optional[str]]) ValidateCredentialResponse

Validate a credential.

Validates a credential.

For service credentials (purpose is SERVICE), either the __credential_name__ or the cloud-specific credential must be provided.

For storage credentials (purpose is STORAGE), at least one of __external_location_name__ and __url__ need to be provided. If only one of them is provided, it will be used for validation. And if both are provided, the __url__ will be used for validation, and __external_location_name__ will be ignored when checking overlapping urls. Either the __credential_name__ or the cloud-specific credential must be provided.

The caller must be a metastore admin or the credential owner or have the required permission on the metastore and the credential (e.g., CREATE_EXTERNAL_LOCATION when purpose is STORAGE).

Parameters:

  • aws_iam_roleAwsIamRole (optional) The AWS IAM role configuration

  • azure_managed_identityAzureManagedIdentity (optional) The Azure managed identity configuration.

  • credential_name – str (optional) Required. The name of an existing credential or long-lived cloud credential to validate.

  • databricks_gcp_service_accountDatabricksGcpServiceAccount (optional) GCP long-lived credential. Databricks-created Google Cloud Storage service account.

  • external_location_name – str (optional) The name of an existing external location to validate. Only applicable for storage credentials (purpose is STORAGE.)

  • purposeCredentialPurpose (optional) The purpose of the credential. This should only be used when the credential is specified.

  • read_only – bool (optional) Whether the credential is only usable for read operations. Only applicable for storage credentials (purpose is STORAGE.)

  • url – str (optional) The external location url to validate. Only applicable when purpose is STORAGE.

Returns:

ValidateCredentialResponse