https://pulumi.com logo
Powered by
#aws
Title
a

ambitious-agent-35343

09/11/2023, 8:47 AM
(Databricks) I am looking to administer the management-account administering the workspaces for users and workspaces. The account-level provider uses password, and this is not great given the sensitivity. Any recommendations? I can think of creating a new user for managing the management account, but was curious what others are doing. Maybe @sparse-optician-70334 from above has taken an insightful approach. Thank you https://www.pulumi.com/registry/packages/databricks/api-docs/user/ 
import * as pulumi from "@Pulumi Novice/pulumi";
import * as databricks from "@Pulumi Novice/databricks";
// initialize provider at account-level
const mws = new databricks.Provider("mws", {
host: "<https://accounts.cloud.databricks.com>",
accountId: "00000000-0000-0000-0000-000000000000",
username: _var.databricks_account_username,
password: _var.databricks_account_password,
});
const accountUser = new databricks.User("accountUser", {
userName: "<mailto:me@example.com|me@example.com>",
displayName: "Example user",
}, {
provider: databricks.mws,
});
s

sparse-optician-70334

09/11/2023, 9:30 AM
I have not yet figured that out. See https://pulumi-community.slack.com/archives/CRH5ENVDX/p1694207839918349 I am waiting for input from @billowy-army-68599 there
But from reading the databricks docs it sounds like their APIs strongly favour non password-based auth approaches i.e. tokens or other means.
a

ambitious-agent-35343

09/11/2023, 9:45 AM
True - I had this approach for the workspaces. As for mng. acc.: Right now I am stuck even being able to enable passwords for the other account I provisioned as a SA. Currently using SSO - but password still works for my own account. I found a SCIM token, but wondering how it can be used - if at all.
s

sparse-optician-70334

09/12/2023, 7:30 AM
did you figure out a solution?
a

ambitious-agent-35343

09/12/2023, 2:44 PM
No, I used the Cloudformation template for the workspace and then API token for my workspace user for configuring the workspace. Eg. no AWS IAM in use from Pulumi side.
s

sparse-optician-70334

09/12/2023, 2:47 PM
I figured out how to set up the workspace from pulumi (almost)
just need to set some more AWS policies around S3
@ambitious-agent-35343 do you add users using Pulumi? Does this work or fail for you? By the way jaxxstorm created this awesome sample here https://github.com/jaxxstorm/pulumi-examples/tree/main/python/aws/databricks maybe this is useful for you as well.
a

ambitious-agent-35343

09/14/2023, 11:42 AM
Thank you for sharing this with me Georg and great work @billowy-army-68599! I am currently opting for a hybrid approach and migrating new users to IaC. Using getOrCreate function for all other users and their group allocation. But again, not much for using my personal account for administering the mng account. Instead I will be using pulumi with access_token for each workspace which is less nice.
Powered by