w.token_management: Token management¶
- class databricks.sdk.service.settings.TokenManagementAPI¶
Enables administrators to get all tokens and delete tokens for other users. Admins can either get every token, get a specific token by ID, or get all tokens for a particular user.
- create_obo_token(application_id: str [, autoscope_enabled: Optional[bool], comment: Optional[str], lifetime_seconds: Optional[int], scopes: Optional[List[str]]]) CreateOboTokenResponse¶
Usage:
import time from databricks.sdk import WorkspaceClient from databricks.sdk.service import iam w = WorkspaceClient() groups = w.groups.group_display_name_to_id_map(iam.ListGroupsRequest()) spn = w.service_principals.create( display_name=f"sdk-{time.time_ns()}", groups=[iam.ComplexValue(value=groups["admins"])], ) obo = w.token_management.create_obo_token(application_id=spn.application_id, lifetime_seconds=60) # cleanup w.service_principals.delete(id=spn.id) w.token_management.delete(token_id=obo.token_info.token_id)
Creates a token on behalf of a service principal.
- Parameters:
application_id – str Application ID of the service principal.
autoscope_enabled – bool (optional) Whether to enable autoscoping for this token.
comment – str (optional) Comment that describes the purpose of the token.
lifetime_seconds – int (optional) The number of seconds before the token expires.
scopes – List[str] (optional)
- Returns:
- delete(token_id: str)¶
Deletes a token, specified by its ID.
- Parameters:
token_id – str The ID of the token to revoke.
- get(token_id: str) GetTokenResponse¶
Usage:
import time from databricks.sdk import WorkspaceClient from databricks.sdk.service import iam w = WorkspaceClient() groups = w.groups.group_display_name_to_id_map(iam.ListGroupsRequest()) spn = w.service_principals.create( display_name=f"sdk-{time.time_ns()}", groups=[iam.ComplexValue(value=groups["admins"])], ) obo = w.token_management.create_obo_token(application_id=spn.application_id, lifetime_seconds=60) by_id = w.token_management.get(token_id=obo.token_info.token_id) # cleanup w.service_principals.delete(id=spn.id) w.token_management.delete(token_id=obo.token_info.token_id)
Gets information about a token, specified by its ID.
- Parameters:
token_id – str The ID of the token to get.
- Returns:
- get_permission_levels() GetTokenPermissionLevelsResponse¶
Gets the permission levels that a user can have on an object.
- Returns:
- get_permissions() TokenPermissions¶
Gets the permissions of all tokens. Tokens can inherit permissions from their root object.
- Returns:
- list([, created_by_id: Optional[int], created_by_username: Optional[str]]) Iterator[TokenInfo]¶
Usage:
from databricks.sdk import WorkspaceClient from databricks.sdk.service import settings w = WorkspaceClient() all = w.token_management.list(settings.ListTokenManagementRequest())
Lists all tokens associated with the specified workspace or user.
- Parameters:
created_by_id – int (optional) User ID of the user that created the token.
created_by_username – str (optional) Username of the user that created the token.
- Returns:
Iterator over
TokenInfo
- set_permissions([, access_control_list: Optional[List[TokenAccessControlRequest]]]) TokenPermissions¶
Sets permissions on an object, replacing existing permissions if they exist. Deletes all direct permissions if none are specified. Objects can inherit permissions from their root object.
- Parameters:
access_control_list – List[
TokenAccessControlRequest] (optional)- Returns:
- update_permissions([, access_control_list: Optional[List[TokenAccessControlRequest]]]) TokenPermissions¶
Updates the permissions on all tokens. Tokens can inherit permissions from their root object.
- Parameters:
access_control_list – List[
TokenAccessControlRequest] (optional)- Returns:
- update_token_management(token_id: str, token: TokenInfo, update_mask: FieldMask) TokenInfo¶
Updates a token, specified by its ID.
- Parameters:
token_id – str ID of the token.
token –
TokenInfoupdate_mask –
FieldMask A list of field name under token, For example, {“update_mask”: “comment,scopes”}
The field mask must be a single string, with multiple fields separated by commas (no spaces). The field path is relative to the resource object, using a dot (.) to navigate sub-fields (e.g., author.given_name). Specification of elements in sequence or map fields is not allowed, as only the entire collection field can be specified. Field names must exactly match the resource field names.
A field mask of * indicates full replacement. It’s recommended to always explicitly list the fields being updated and avoid using * wildcards, as it can lead to unintended results if the API changes in the future.
- Returns: