(Databricks) I am looking to administer the manage...
# awsa
ambitious-agent-35343
09/11/2023, 8:47 AM(Databricks) I am looking to administer the management-account administering the workspaces for users and workspaces. The account-level provider uses password, and this is not great given the sensitivity. Any recommendations? I can think of creating a new user for managing the management account, but was curious what others are doing.
Maybe @sparse-optician-70334 from above has taken an insightful approach. Thank you
https://www.pulumi.com/registry/packages/databricks/api-docs/user/
import * as pulumi from "@Pulumi Novice/pulumi";import * as databricks from "@Pulumi Novice/databricks";// initialize provider at account-levelconst mws = new databricks.Provider("mws", {host: "<https://accounts.cloud.databricks.com>",accountId: "00000000-0000-0000-0000-000000000000",username: _var.databricks_account_username,password: _var.databricks_account_password,});const accountUser = new databricks.User("accountUser", {userName: "<mailto:me@example.com|me@example.com>",displayName: "Example user",}, {provider: databricks.mws,});s
sparse-optician-70334
09/11/2023, 9:30 AMI have not yet figured that out. See https://pulumi-community.slack.com/archives/CRH5ENVDX/p1694207839918349 I am waiting for input from @billowy-army-68599 there
sparse-optician-70334
09/11/2023, 9:31 AMBut from reading the databricks docs it sounds like their APIs strongly favour non password-based auth approaches i.e. tokens or other means.
a
ambitious-agent-35343
09/11/2023, 9:45 AMTrue - I had this approach for the workspaces. As for mng. acc.: Right now I am stuck even being able to enable passwords for the other account I provisioned as a SA. Currently using SSO - but password still works for my own account.
I found a SCIM token, but wondering how it can be used - if at all.
s
sparse-optician-70334
09/12/2023, 7:30 AMsparse-optician-70334
09/12/2023, 7:30 AMdid you figure out a solution?
a
ambitious-agent-35343
09/12/2023, 2:44 PMNo, I used the Cloudformation template for the workspace and then API token for my workspace user for configuring the workspace. Eg. no AWS IAM in use from Pulumi side.
s
sparse-optician-70334
09/12/2023, 2:47 PMI figured out how to set up the workspace from pulumi (almost)
sparse-optician-70334
09/12/2023, 2:47 PMjust need to set some more AWS policies around S3
sparse-optician-70334
09/13/2023, 8:47 AM@ambitious-agent-35343 do you add users using Pulumi? Does this work or fail for you? By the way jaxxstorm created this awesome sample here https://github.com/jaxxstorm/pulumi-examples/tree/main/python/aws/databricks maybe this is useful for you as well.
a
ambitious-agent-35343
09/14/2023, 11:42 AMThank you for sharing this with me Georg and great work @billowy-army-68599!
I am currently opting for a hybrid approach and migrating new users to IaC. Using getOrCreate function for all other users and their group allocation.
But again, not much for using my personal account for administering the mng account. Instead I will be using pulumi with access_token for each workspace which is less nice.