Skip to content

Manage Azure Databricks Service Principal#

Most of Databricks management can be done from the GUI or CLI, but for Azure Service Principal, we can only manage it by the SCIM API. There's an open PR for adding support of SCIM API in Databricks CLI, but the lastest update is back to the beginning of 2021.

This post is to add some tips that not covered by the official API docs.

Patch Service Principal#

The official docs gives op add, remove, in fact, if you want to for example, update the displayName field of a SP, the op should be add:

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ],
    "Operations": [
        {
            "op": "add",
            "path": "displayName",
            "value": "{newServicePrincipalName}"
        }
    ]
}

Consistent fields across workspaces#

We could link multiple Databricks workspaces together. Below screenshot is an example of 3 linked workspaces.

azure-databricks-multiple-workspaces

Please be aware that each workspace has its own API url.

Let's see the example of the output of the GET Service Principal endpoint, where the applicationId is 11111111-0000-0000-0000-111111111111:

{
  "displayName": "foo",
  "externalId": "22222222-0000-0000-0000-222222222222",
  "groups": [
    {
      "display": "group1",
      "type": "direct",
      "value": "111",
      "$ref": "Groups/111"
    },
    {
      "display": "group2",
      "type": "indirect",
      "value": "222",
      "$ref": "Groups/222"
    }
  ],
  "id": "123456789",
  "entitlements": [
    {
      "value": "allow-cluster-create"
    },
    {
      "value": "allow-instance-pool-create"
    },
    {
      "value": "workspace-access"
    }
  ],
  "applicationId": "11111111-0000-0000-0000-111111111111",
  "active": true
}

Although we have 3 different workspaces, the same Service Principal (applicationId) defined in these workspace shares some fields:

  • displayName
  • id
  • applicationId

And among these 3 fields, you can only update the displayName field, the id and applicationId fileds are immutable. Which means if we change the displayName in one of the workspaces by using the PATCH SCIM API, we will get the the updated displayName in other workspaces by using the GET SCIM API. We can not change id and applicationId fields, and both of them are the same across workspaces.

Comments