Docs Home
Databricks v1.56.0 published on Tuesday, Nov 12, 2024 by Pulumi
databricks.Grant
Explore with Pulumi AI
This article refers to the privileges and inheritance model in Privilege Model version 1.0. If you created your metastore during the public preview (before August 25, 2022), you can upgrade to Privilege Model version 1.0 following Upgrade to privilege inheritance
Most of Unity Catalog APIs are only accessible via workspace-level APIs. This design may change in the future. Account-level principal grants can be assigned with any valid workspace as the Unity Catalog is decoupled from specific workspaces. More information in the official documentation.
In Unity Catalog all users initially have no access to data. Only Metastore Admins can create objects and can grant/revoke access on individual objects to users and groups. Every securable object in Unity Catalog has an owner. The owner can be any account-level user or group, called principals in general. The principal that creates an object becomes its owner. Owners receive ALL_PRIVILEGES on the securable object (e.g., SELECT and MODIFY on a table), as well as the permission to grant privileges to other principals.
Securable objects are hierarchical and privileges are inherited downward. The highest level object that privileges are inherited from is the catalog. This means that granting a privilege on a catalog or schema automatically grants the privilege to all current and future objects within the catalog or schema. Privileges that are granted on a metastore are not inherited.
Every databricks.Grant resource must have exactly one securable identifier and the following arguments:
principal- User name, group name or service principal application ID.privileges- One or more privileges that are specific to a securable type.
For the latest list of privilege types that apply to each securable object in Unity Catalog, please refer to the official documentation
Pulumi will handle any configuration drift for the specified principal on every pulumi up run, even when grants are changed outside of Pulumi state.
See databricks.Grants for the list of privilege types that apply to each securable object.
Metastore grants
See databricks.Grants Metastore grants for the list of privileges that apply to Metastores.
import * as pulumi from "@pulumi/pulumi";
import * as databricks from "@pulumi/databricks";
const sandboxDataEngineers = new databricks.Grant("sandbox_data_engineers", {
metastore: "metastore_id",
principal: "Data Engineers",
privileges: [
"CREATE_CATALOG",
"CREATE_EXTERNAL_LOCATION",
],
});
const sandboxDataSharer = new databricks.Grant("sandbox_data_sharer", {
metastore: "metastore_id",
principal: "Data Sharer",
privileges: [
"CREATE_RECIPIENT",
"CREATE_SHARE",
],
});
import pulumi
import pulumi_databricks as databricks
sandbox_data_engineers = databricks.Grant("sandbox_data_engineers",
metastore="metastore_id",
principal="Data Engineers",
privileges=[
"CREATE_CATALOG",
"CREATE_EXTERNAL_LOCATION",
])
sandbox_data_sharer = databricks.Grant("sandbox_data_sharer",
metastore="metastore_id",
principal="Data Sharer",
privileges=[
"CREATE_RECIPIENT",
"CREATE_SHARE",
])
package main
import (
"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := databricks.NewGrant(ctx, "sandbox_data_engineers", &databricks.GrantArgs{
Metastore: pulumi.String("metastore_id"),
Principal: pulumi.String("Data Engineers"),
Privileges: pulumi.StringArray{
pulumi.String("CREATE_CATALOG"),
pulumi.String("CREATE_EXTERNAL_LOCATION"),
},
})
if err != nil {
return err
}
_, err = databricks.NewGrant(ctx, "sandbox_data_sharer", &databricks.GrantArgs{
Metastore: pulumi.String("metastore_id"),
Principal: pulumi.String("Data Sharer"),
Privileges: pulumi.StringArray{
pulumi.String("CREATE_RECIPIENT"),
pulumi.String("CREATE_SHARE"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Databricks = Pulumi.Databricks;
return await Deployment.RunAsync(() =>
{
var sandboxDataEngineers = new Databricks.Grant("sandbox_data_engineers", new()
{
Metastore = "metastore_id",
Principal = "Data Engineers",
Privileges = new[]
{
"CREATE_CATALOG",
"CREATE_EXTERNAL_LOCATION",
},
});
var sandboxDataSharer = new Databricks.Grant("sandbox_data_sharer", new()
{
Metastore = "metastore_id",
Principal = "Data Sharer",
Privileges = new[]
{
"CREATE_RECIPIENT",
"CREATE_SHARE",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.databricks.Grant;
import com.pulumi.databricks.GrantArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var sandboxDataEngineers = new Grant("sandboxDataEngineers", GrantArgs.builder()
.metastore("metastore_id")
.principal("Data Engineers")
.privileges(
"CREATE_CATALOG",
"CREATE_EXTERNAL_LOCATION")
.build());
var sandboxDataSharer = new Grant("sandboxDataSharer", GrantArgs.builder()
.metastore("metastore_id")
.principal("Data Sharer")
.privileges(
"CREATE_RECIPIENT",
"CREATE_SHARE")
.build());
}
}
resources:
sandboxDataEngineers:
type: databricks:Grant
name: sandbox_data_engineers
properties:
metastore: metastore_id
principal: Data Engineers
privileges:
- CREATE_CATALOG
- CREATE_EXTERNAL_LOCATION
sandboxDataSharer:
type: databricks:Grant
name: sandbox_data_sharer
properties:
metastore: metastore_id
principal: Data Sharer
privileges:
- CREATE_RECIPIENT
- CREATE_SHARE
Catalog grants
See databricks.Grants Catalog grants for the list of privileges that apply to Catalogs.
import * as pulumi from "@pulumi/pulumi";
import * as databricks from "@pulumi/databricks";
const sandbox = new databricks.Catalog("sandbox", {
name: "sandbox",
comment: "this catalog is managed by terraform",
properties: {
purpose: "testing",
},
});
const sandboxDataScientists = new databricks.Grant("sandbox_data_scientists", {
catalog: sandbox.name,
principal: "Data Scientists",
privileges: [
"USE_CATALOG",
"USE_SCHEMA",
"CREATE_TABLE",
"SELECT",
],
});
const sandboxDataEngineers = new databricks.Grant("sandbox_data_engineers", {
catalog: sandbox.name,
principal: "Data Engineers",
privileges: [
"USE_CATALOG",
"USE_SCHEMA",
"CREATE_SCHEMA",
"CREATE_TABLE",
"MODIFY",
],
});
const sandboxDataAnalyst = new databricks.Grant("sandbox_data_analyst", {
catalog: sandbox.name,
principal: "Data Analyst",
privileges: [
"USE_CATALOG",
"USE_SCHEMA",
"SELECT",
],
});
import pulumi
import pulumi_databricks as databricks
sandbox = databricks.Catalog("sandbox",
name="sandbox",
comment="this catalog is managed by terraform",
properties={
"purpose": "testing",
})
sandbox_data_scientists = databricks.Grant("sandbox_data_scientists",
catalog=sandbox.name,
principal="Data Scientists",
privileges=[
"USE_CATALOG",
"USE_SCHEMA",
"CREATE_TABLE",
"SELECT",
])
sandbox_data_engineers = databricks.Grant("sandbox_data_engineers",
catalog=sandbox.name,
principal="Data Engineers",
privileges=[
"USE_CATALOG",
"USE_SCHEMA",
"CREATE_SCHEMA",
"CREATE_TABLE",
"MODIFY",
])
sandbox_data_analyst = databricks.Grant("sandbox_data_analyst",
catalog=sandbox.name,
principal="Data Analyst",
privileges=[
"USE_CATALOG",
"USE_SCHEMA",
"SELECT",
])
package main
import (
"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
sandbox, err := databricks.NewCatalog(ctx, "sandbox", &databricks.CatalogArgs{
Name: pulumi.String("sandbox"),
Comment: pulumi.String("this catalog is managed by terraform"),
Properties: pulumi.StringMap{
"purpose": pulumi.String("testing"),
},
})
if err != nil {
return err
}
_, err = databricks.NewGrant(ctx, "sandbox_data_scientists", &databricks.GrantArgs{
Catalog: sandbox.Name,
Principal: pulumi.String("Data Scientists"),
Privileges: pulumi.StringArray{
pulumi.String("USE_CATALOG"),
pulumi.String("USE_SCHEMA"),
pulumi.String("CREATE_TABLE"),
pulumi.String("SELECT"),
},
})
if err != nil {
return err
}
_, err = databricks.NewGrant(ctx, "sandbox_data_engineers", &databricks.GrantArgs{
Catalog: sandbox.Name,
Principal: pulumi.String("Data Engineers"),
Privileges: pulumi.StringArray{
pulumi.String("USE_CATALOG"),
pulumi.String("USE_SCHEMA"),
pulumi.String("CREATE_SCHEMA"),
pulumi.String("CREATE_TABLE"),
pulumi.String("MODIFY"),
},
})
if err != nil {
return err
}
_, err = databricks.NewGrant(ctx, "sandbox_data_analyst", &databricks.GrantArgs{
Catalog: sandbox.Name,
Principal: pulumi.String("Data Analyst"),
Privileges: pulumi.StringArray{
pulumi.String("USE_CATALOG"),
pulumi.String("USE_SCHEMA"),
pulumi.String("SELECT"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Databricks = Pulumi.Databricks;
return await Deployment.RunAsync(() =>
{
var sandbox = new Databricks.Catalog("sandbox", new()
{
Name = "sandbox",
Comment = "this catalog is managed by terraform",
Properties =
{
{ "purpose", "testing" },
},
});
var sandboxDataScientists = new Databricks.Grant("sandbox_data_scientists", new()
{
Catalog = sandbox.Name,
Principal = "Data Scientists",
Privileges = new[]
{
"USE_CATALOG",
"USE_SCHEMA",
"CREATE_TABLE",
"SELECT",
},
});
var sandboxDataEngineers = new Databricks.Grant("sandbox_data_engineers", new()
{
Catalog = sandbox.Name,
Principal = "Data Engineers",
Privileges = new[]
{
"USE_CATALOG",
"USE_SCHEMA",
"CREATE_SCHEMA",
"CREATE_TABLE",
"MODIFY",
},
});
var sandboxDataAnalyst = new Databricks.Grant("sandbox_data_analyst", new()
{
Catalog = sandbox.Name,
Principal = "Data Analyst",
Privileges = new[]
{
"USE_CATALOG",
"USE_SCHEMA",
"SELECT",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.databricks.Catalog;
import com.pulumi.databricks.CatalogArgs;
import com.pulumi.databricks.Grant;
import com.pulumi.databricks.GrantArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var sandbox = new Catalog("sandbox", CatalogArgs.builder()
.name("sandbox")
.comment("this catalog is managed by terraform")
.properties(Map.of("purpose", "testing"))
.build());
var sandboxDataScientists = new Grant("sandboxDataScientists", GrantArgs.builder()
.catalog(sandbox.name())
.principal("Data Scientists")
.privileges(
"USE_CATALOG",
"USE_SCHEMA",
"CREATE_TABLE",
"SELECT")
.build());
var sandboxDataEngineers = new Grant("sandboxDataEngineers", GrantArgs.builder()
.catalog(sandbox.name())
.principal("Data Engineers")
.privileges(
"USE_CATALOG",
"USE_SCHEMA",
"CREATE_SCHEMA",
"CREATE_TABLE",
"MODIFY")
.build());
var sandboxDataAnalyst = new Grant("sandboxDataAnalyst", GrantArgs.builder()
.catalog(sandbox.name())
.principal("Data Analyst")
.privileges(
"USE_CATALOG",
"USE_SCHEMA",
"SELECT")
.build());
}
}
resources:
sandbox:
type: databricks:Catalog
properties:
name: sandbox
comment: this catalog is managed by terraform
properties:
purpose: testing
sandboxDataScientists:
type: databricks:Grant
name: sandbox_data_scientists
properties:
catalog: ${sandbox.name}
principal: Data Scientists
privileges:
- USE_CATALOG
- USE_SCHEMA
- CREATE_TABLE
- SELECT
sandboxDataEngineers:
type: databricks:Grant
name: sandbox_data_engineers
properties:
catalog: ${sandbox.name}
principal: Data Engineers
privileges:
- USE_CATALOG
- USE_SCHEMA
- CREATE_SCHEMA
- CREATE_TABLE
- MODIFY
sandboxDataAnalyst:
type: databricks:Grant
name: sandbox_data_analyst
properties:
catalog: ${sandbox.name}
principal: Data Analyst
privileges:
- USE_CATALOG
- USE_SCHEMA
- SELECT
Schema grants
See databricks.Grants Schema grants for the list of privileges that apply to Schemas.
import * as pulumi from "@pulumi/pulumi";
import * as databricks from "@pulumi/databricks";
const things = new databricks.Schema("things", {
catalogName: sandbox.id,
name: "things",
comment: "this schema is managed by terraform",
properties: {
kind: "various",
},
});
const thingsGrant = new databricks.Grant("things", {
schema: things.id,
principal: "Data Engineers",
privileges: [
"USE_SCHEMA",
"MODIFY",
],
});
import pulumi
import pulumi_databricks as databricks
things = databricks.Schema("things",
catalog_name=sandbox["id"],
name="things",
comment="this schema is managed by terraform",
properties={
"kind": "various",
})
things_grant = databricks.Grant("things",
schema=things.id,
principal="Data Engineers",
privileges=[
"USE_SCHEMA",
"MODIFY",
])
package main
import (
"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
things, err := databricks.NewSchema(ctx, "things", &databricks.SchemaArgs{
CatalogName: pulumi.Any(sandbox.Id),
Name: pulumi.String("things"),
Comment: pulumi.String("this schema is managed by terraform"),
Properties: pulumi.StringMap{
"kind": pulumi.String("various"),
},
})
if err != nil {
return err
}
_, err = databricks.NewGrant(ctx, "things", &databricks.GrantArgs{
Schema: things.ID(),
Principal: pulumi.String("Data Engineers"),
Privileges: pulumi.StringArray{
pulumi.String("USE_SCHEMA"),
pulumi.String("MODIFY"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Databricks = Pulumi.Databricks;
return await Deployment.RunAsync(() =>
{
var things = new Databricks.Schema("things", new()
{
CatalogName = sandbox.Id,
Name = "things",
Comment = "this schema is managed by terraform",
Properties =
{
{ "kind", "various" },
},
});
var thingsGrant = new Databricks.Grant("things", new()
{
Schema = things.Id,
Principal = "Data Engineers",
Privileges = new[]
{
"USE_SCHEMA",
"MODIFY",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.databricks.Schema;
import com.pulumi.databricks.SchemaArgs;
import com.pulumi.databricks.Grant;
import com.pulumi.databricks.GrantArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var things = new Schema("things", SchemaArgs.builder()
.catalogName(sandbox.id())
.name("things")
.comment("this schema is managed by terraform")
.properties(Map.of("kind", "various"))
.build());
var thingsGrant = new Grant("thingsGrant", GrantArgs.builder()
.schema(things.id())
.principal("Data Engineers")
.privileges(
"USE_SCHEMA",
"MODIFY")
.build());
}
}
resources:
things:
type: databricks:Schema
properties:
catalogName: ${sandbox.id}
name: things
comment: this schema is managed by terraform
properties:
kind: various
thingsGrant:
type: databricks:Grant
name: things
properties:
schema: ${things.id}
principal: Data Engineers
privileges:
- USE_SCHEMA
- MODIFY
Table grants
See databricks.Grants Table grants for the list of privileges that apply to Tables.
import * as pulumi from "@pulumi/pulumi";
import * as databricks from "@pulumi/databricks";
const customersDataEngineers = new databricks.Grant("customers_data_engineers", {
table: "main.reporting.customers",
principal: "Data Engineers",
privileges: [
"MODIFY",
"SELECT",
],
});
const customersDataAnalysts = new databricks.Grant("customers_data_analysts", {
table: "main.reporting.customers",
principal: "Data Analysts",
privileges: ["SELECT"],
});
import pulumi
import pulumi_databricks as databricks
customers_data_engineers = databricks.Grant("customers_data_engineers",
table="main.reporting.customers",
principal="Data Engineers",
privileges=[
"MODIFY",
"SELECT",
])
customers_data_analysts = databricks.Grant("customers_data_analysts",
table="main.reporting.customers",
principal="Data Analysts",
privileges=["SELECT"])
package main
import (
"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := databricks.NewGrant(ctx, "customers_data_engineers", &databricks.GrantArgs{
Table: pulumi.String("main.reporting.customers"),
Principal: pulumi.String("Data Engineers"),
Privileges: pulumi.StringArray{
pulumi.String("MODIFY"),
pulumi.String("SELECT"),
},
})
if err != nil {
return err
}
_, err = databricks.NewGrant(ctx, "customers_data_analysts", &databricks.GrantArgs{
Table: pulumi.String("main.reporting.customers"),
Principal: pulumi.String("Data Analysts"),
Privileges: pulumi.StringArray{
pulumi.String("SELECT"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Databricks = Pulumi.Databricks;
return await Deployment.RunAsync(() =>
{
var customersDataEngineers = new Databricks.Grant("customers_data_engineers", new()
{
Table = "main.reporting.customers",
Principal = "Data Engineers",
Privileges = new[]
{
"MODIFY",
"SELECT",
},
});
var customersDataAnalysts = new Databricks.Grant("customers_data_analysts", new()
{
Table = "main.reporting.customers",
Principal = "Data Analysts",
Privileges = new[]
{
"SELECT",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.databricks.Grant;
import com.pulumi.databricks.GrantArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var customersDataEngineers = new Grant("customersDataEngineers", GrantArgs.builder()
.table("main.reporting.customers")
.principal("Data Engineers")
.privileges(
"MODIFY",
"SELECT")
.build());
var customersDataAnalysts = new Grant("customersDataAnalysts", GrantArgs.builder()
.table("main.reporting.customers")
.principal("Data Analysts")
.privileges("SELECT")
.build());
}
}
resources:
customersDataEngineers:
type: databricks:Grant
name: customers_data_engineers
properties:
table: main.reporting.customers
principal: Data Engineers
privileges:
- MODIFY
- SELECT
customersDataAnalysts:
type: databricks:Grant
name: customers_data_analysts
properties:
table: main.reporting.customers
principal: Data Analysts
privileges:
- SELECT
You can also apply grants dynamically with databricks.getTables data resource:
import * as pulumi from "@pulumi/pulumi";
import * as databricks from "@pulumi/databricks";
export = async () => {
const things = await databricks.getTables({
catalogName: "sandbox",
schemaName: "things",
});
const thingsGrant: databricks.Grant[] = [];
for (const range of things.ids.map((v, k) => ({key: k, value: v}))) {
thingsGrant.push(new databricks.Grant(`things-${range.key}`, {
table: range.value,
principal: "sensitive",
privileges: [
"SELECT",
"MODIFY",
],
}));
}
}
import pulumi
import pulumi_databricks as databricks
things = databricks.get_tables(catalog_name="sandbox",
schema_name="things")
things_grant = []
for range in [{"key": k, "value": v} for [k, v] in enumerate(things.ids)]:
things_grant.append(databricks.Grant(f"things-{range['key']}",
table=range["value"],
principal="sensitive",
privileges=[
"SELECT",
"MODIFY",
]))
package main
import (
"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
things, err := databricks.GetTables(ctx, &databricks.GetTablesArgs{
CatalogName: "sandbox",
SchemaName: "things",
}, nil)
if err != nil {
return err
}
var thingsGrant []*databricks.Grant
for key0, val0 := range things.Ids {
__res, err := databricks.NewGrant(ctx, fmt.Sprintf("things-%v", key0), &databricks.GrantArgs{
Table: pulumi.String(val0),
Principal: pulumi.String("sensitive"),
Privileges: pulumi.StringArray{
pulumi.String("SELECT"),
pulumi.String("MODIFY"),
},
})
if err != nil {
return err
}
thingsGrant = append(thingsGrant, __res)
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Pulumi;
using Databricks = Pulumi.Databricks;
return await Deployment.RunAsync(async() =>
{
var things = await Databricks.GetTables.InvokeAsync(new()
{
CatalogName = "sandbox",
SchemaName = "things",
});
var thingsGrant = new List<Databricks.Grant>();
foreach (var range in )
{
thingsGrant.Add(new Databricks.Grant($"things-{range.Key}", new()
{
Table = range.Value,
Principal = "sensitive",
Privileges = new[]
{
"SELECT",
"MODIFY",
},
}));
}
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.databricks.DatabricksFunctions;
import com.pulumi.databricks.inputs.GetTablesArgs;
import com.pulumi.databricks.Grant;
import com.pulumi.databricks.GrantArgs;
import com.pulumi.codegen.internal.KeyedValue;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var things = DatabricksFunctions.getTables(GetTablesArgs.builder()
.catalogName("sandbox")
.schemaName("things")
.build());
final var thingsGrant = things.applyValue(getTablesResult -> {
final var resources = new ArrayList<Grant>();
for (var range : KeyedValue.of(getTablesResult.ids()) {
var resource = new Grant("thingsGrant-" + range.key(), GrantArgs.builder()
.table(range.value())
.principal("sensitive")
.privileges(
"SELECT",
"MODIFY")
.build());
resources.add(resource);
}
return resources;
});
}
}
resources:
thingsGrant:
type: databricks:Grant
name: things
properties:
table: ${range.value}
principal: sensitive
privileges:
- SELECT
- MODIFY
options: {}
variables:
things:
fn::invoke:
Function: databricks:getTables
Arguments:
catalogName: sandbox
schemaName: things
View grants
See databricks.Grants View grants for the list of privileges that apply to Views.
import * as pulumi from "@pulumi/pulumi";
import * as databricks from "@pulumi/databricks";
const customer360 = new databricks.Grant("customer360", {
table: "main.reporting.customer360",
principal: "Data Analysts",
privileges: ["SELECT"],
});
import pulumi
import pulumi_databricks as databricks
customer360 = databricks.Grant("customer360",
table="main.reporting.customer360",
principal="Data Analysts",
privileges=["SELECT"])
package main
import (
"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := databricks.NewGrant(ctx, "customer360", &databricks.GrantArgs{
Table: pulumi.String("main.reporting.customer360"),
Principal: pulumi.String("Data Analysts"),
Privileges: pulumi.StringArray{
pulumi.String("SELECT"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Databricks = Pulumi.Databricks;
return await Deployment.RunAsync(() =>
{
var customer360 = new Databricks.Grant("customer360", new()
{
Table = "main.reporting.customer360",
Principal = "Data Analysts",
Privileges = new[]
{
"SELECT",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.databricks.Grant;
import com.pulumi.databricks.GrantArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var customer360 = new Grant("customer360", GrantArgs.builder()
.table("main.reporting.customer360")
.principal("Data Analysts")
.privileges("SELECT")
.build());
}
}
resources:
customer360:
type: databricks:Grant
properties:
table: main.reporting.customer360
principal: Data Analysts
privileges:
- SELECT
You can also apply grants dynamically with databricks.getViews data resource:
import * as pulumi from "@pulumi/pulumi";
import * as databricks from "@pulumi/databricks";
export = async () => {
const customers = await databricks.getViews({
catalogName: "main",
schemaName: "customers",
});
const customersGrant: databricks.Grant[] = [];
for (const range of customers.ids.map((v, k) => ({key: k, value: v}))) {
customersGrant.push(new databricks.Grant(`customers-${range.key}`, {
table: range.value,
principal: "sensitive",
privileges: [
"SELECT",
"MODIFY",
],
}));
}
}
import pulumi
import pulumi_databricks as databricks
customers = databricks.get_views(catalog_name="main",
schema_name="customers")
customers_grant = []
for range in [{"key": k, "value": v} for [k, v] in enumerate(customers.ids)]:
customers_grant.append(databricks.Grant(f"customers-{range['key']}",
table=range["value"],
principal="sensitive",
privileges=[
"SELECT",
"MODIFY",
]))
package main
import (
"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
customers, err := databricks.GetViews(ctx, &databricks.GetViewsArgs{
CatalogName: "main",
SchemaName: "customers",
}, nil)
if err != nil {
return err
}
var customersGrant []*databricks.Grant
for key0, val0 := range customers.Ids {
__res, err := databricks.NewGrant(ctx, fmt.Sprintf("customers-%v", key0), &databricks.GrantArgs{
Table: pulumi.String(val0),
Principal: pulumi.String("sensitive"),
Privileges: pulumi.StringArray{
pulumi.String("SELECT"),
pulumi.String("MODIFY"),
},
})
if err != nil {
return err
}
customersGrant = append(customersGrant, __res)
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Pulumi;
using Databricks = Pulumi.Databricks;
return await Deployment.RunAsync(async() =>
{
var customers = await Databricks.GetViews.InvokeAsync(new()
{
CatalogName = "main",
SchemaName = "customers",
});
var customersGrant = new List<Databricks.Grant>();
foreach (var range in )
{
customersGrant.Add(new Databricks.Grant($"customers-{range.Key}", new()
{
Table = range.Value,
Principal = "sensitive",
Privileges = new[]
{
"SELECT",
"MODIFY",
},
}));
}
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.databricks.DatabricksFunctions;
import com.pulumi.databricks.inputs.GetViewsArgs;
import com.pulumi.databricks.Grant;
import com.pulumi.databricks.GrantArgs;
import com.pulumi.codegen.internal.KeyedValue;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var customers = DatabricksFunctions.getViews(GetViewsArgs.builder()
.catalogName("main")
.schemaName("customers")
.build());
final var customersGrant = customers.applyValue(getViewsResult -> {
final var resources = new ArrayList<Grant>();
for (var range : KeyedValue.of(getViewsResult.ids()) {
var resource = new Grant("customersGrant-" + range.key(), GrantArgs.builder()
.table(range.value())
.principal("sensitive")
.privileges(
"SELECT",
"MODIFY")
.build());
resources.add(resource);
}
return resources;
});
}
}
resources:
customersGrant:
type: databricks:Grant
name: customers
properties:
table: ${range.value}
principal: sensitive
privileges:
- SELECT
- MODIFY
options: {}
variables:
customers:
fn::invoke:
Function: databricks:getViews
Arguments:
catalogName: main
schemaName: customers
Volume grants
See databricks.Grants Volume grants for the list of privileges that apply to Volumes.
import * as pulumi from "@pulumi/pulumi";
import * as databricks from "@pulumi/databricks";
const _this = new databricks.Volume("this", {
name: "quickstart_volume",
catalogName: sandbox.name,
schemaName: things.name,
volumeType: "EXTERNAL",
storageLocation: some.url,
comment: "this volume is managed by terraform",
});
const volume = new databricks.Grant("volume", {
volume: _this.id,
principal: "Data Engineers",
privileges: ["WRITE_VOLUME"],
});
import pulumi
import pulumi_databricks as databricks
this = databricks.Volume("this",
name="quickstart_volume",
catalog_name=sandbox["name"],
schema_name=things["name"],
volume_type="EXTERNAL",
storage_location=some["url"],
comment="this volume is managed by terraform")
volume = databricks.Grant("volume",
volume=this.id,
principal="Data Engineers",
privileges=["WRITE_VOLUME"])
package main
import (
"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
this, err := databricks.NewVolume(ctx, "this", &databricks.VolumeArgs{
Name: pulumi.String("quickstart_volume"),
CatalogName: pulumi.Any(sandbox.Name),
SchemaName: pulumi.Any(things.Name),
VolumeType: pulumi.String("EXTERNAL"),
StorageLocation: pulumi.Any(some.Url),
Comment: pulumi.String("this volume is managed by terraform"),
})
if err != nil {
return err
}
_, err = databricks.NewGrant(ctx, "volume", &databricks.GrantArgs{
Volume: this.ID(),
Principal: pulumi.String("Data Engineers"),
Privileges: pulumi.StringArray{
pulumi.String("WRITE_VOLUME"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Databricks = Pulumi.Databricks;
return await Deployment.RunAsync(() =>
{
var @this = new Databricks.Volume("this", new()
{
Name = "quickstart_volume",
CatalogName = sandbox.Name,
SchemaName = things.Name,
VolumeType = "EXTERNAL",
StorageLocation = some.Url,
Comment = "this volume is managed by terraform",
});
var volume = new Databricks.Grant("volume", new()
{
Volume = @this.Id,
Principal = "Data Engineers",
Privileges = new[]
{
"WRITE_VOLUME",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.databricks.Volume;
import com.pulumi.databricks.VolumeArgs;
import com.pulumi.databricks.Grant;
import com.pulumi.databricks.GrantArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var this_ = new Volume("this", VolumeArgs.builder()
.name("quickstart_volume")
.catalogName(sandbox.name())
.schemaName(things.name())
.volumeType("EXTERNAL")
.storageLocation(some.url())
.comment("this volume is managed by terraform")
.build());
var volume = new Grant("volume", GrantArgs.builder()
.volume(this_.id())
.principal("Data Engineers")
.privileges("WRITE_VOLUME")
.build());
}
}
resources:
this:
type: databricks:Volume
properties:
name: quickstart_volume
catalogName: ${sandbox.name}
schemaName: ${things.name}
volumeType: EXTERNAL
storageLocation: ${some.url}
comment: this volume is managed by terraform
volume:
type: databricks:Grant
properties:
volume: ${this.id}
principal: Data Engineers
privileges:
- WRITE_VOLUME
Registered model grants
See databricks.Grants Registered model grants for the list of privileges that apply to Registered models.
import * as pulumi from "@pulumi/pulumi";
import * as databricks from "@pulumi/databricks";
const customersDataEngineers = new databricks.Grant("customers_data_engineers", {
model: "main.reporting.customer_model",
principal: "Data Engineers",
privileges: [
"APPLY_TAG",
"EXECUTE",
],
});
const customersDataAnalysts = new databricks.Grant("customers_data_analysts", {
model: "main.reporting.customer_model",
principal: "Data Analysts",
privileges: ["EXECUTE"],
});
import pulumi
import pulumi_databricks as databricks
customers_data_engineers = databricks.Grant("customers_data_engineers",
model="main.reporting.customer_model",
principal="Data Engineers",
privileges=[
"APPLY_TAG",
"EXECUTE",
])
customers_data_analysts = databricks.Grant("customers_data_analysts",
model="main.reporting.customer_model",
principal="Data Analysts",
privileges=["EXECUTE"])
package main
import (
"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := databricks.NewGrant(ctx, "customers_data_engineers", &databricks.GrantArgs{
Model: pulumi.String("main.reporting.customer_model"),
Principal: pulumi.String("Data Engineers"),
Privileges: pulumi.StringArray{
pulumi.String("APPLY_TAG"),
pulumi.String("EXECUTE"),
},
})
if err != nil {
return err
}
_, err = databricks.NewGrant(ctx, "customers_data_analysts", &databricks.GrantArgs{
Model: pulumi.String("main.reporting.customer_model"),
Principal: pulumi.String("Data Analysts"),
Privileges: pulumi.StringArray{
pulumi.String("EXECUTE"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Databricks = Pulumi.Databricks;
return await Deployment.RunAsync(() =>
{
var customersDataEngineers = new Databricks.Grant("customers_data_engineers", new()
{
Model = "main.reporting.customer_model",
Principal = "Data Engineers",
Privileges = new[]
{
"APPLY_TAG",
"EXECUTE",
},
});
var customersDataAnalysts = new Databricks.Grant("customers_data_analysts", new()
{
Model = "main.reporting.customer_model",
Principal = "Data Analysts",
Privileges = new[]
{
"EXECUTE",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.databricks.Grant;
import com.pulumi.databricks.GrantArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var customersDataEngineers = new Grant("customersDataEngineers", GrantArgs.builder()
.model("main.reporting.customer_model")
.principal("Data Engineers")
.privileges(
"APPLY_TAG",
"EXECUTE")
.build());
var customersDataAnalysts = new Grant("customersDataAnalysts", GrantArgs.builder()
.model("main.reporting.customer_model")
.principal("Data Analysts")
.privileges("EXECUTE")
.build());
}
}
resources:
customersDataEngineers:
type: databricks:Grant
name: customers_data_engineers
properties:
model: main.reporting.customer_model
principal: Data Engineers
privileges:
- APPLY_TAG
- EXECUTE
customersDataAnalysts:
type: databricks:Grant
name: customers_data_analysts
properties:
model: main.reporting.customer_model
principal: Data Analysts
privileges:
- EXECUTE
Function grants
See databricks.Grants Function grants for the list of privileges that apply to Registered models.
import * as pulumi from "@pulumi/pulumi";
import * as databricks from "@pulumi/databricks";
const udfDataEngineers = new databricks.Grant("udf_data_engineers", {
"function": "main.reporting.udf",
principal: "Data Engineers",
privileges: ["EXECUTE"],
});
const udfDataAnalysts = new databricks.Grant("udf_data_analysts", {
"function": "main.reporting.udf",
principal: "Data Analysts",
privileges: ["EXECUTE"],
});
import pulumi
import pulumi_databricks as databricks
udf_data_engineers = databricks.Grant("udf_data_engineers",
function="main.reporting.udf",
principal="Data Engineers",
privileges=["EXECUTE"])
udf_data_analysts = databricks.Grant("udf_data_analysts",
function="main.reporting.udf",
principal="Data Analysts",
privileges=["EXECUTE"])
package main
import (
"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := databricks.NewGrant(ctx, "udf_data_engineers", &databricks.GrantArgs{
Function: pulumi.String("main.reporting.udf"),
Principal: pulumi.String("Data Engineers"),
Privileges: pulumi.StringArray{
pulumi.String("EXECUTE"),
},
})
if err != nil {
return err
}
_, err = databricks.NewGrant(ctx, "udf_data_analysts", &databricks.GrantArgs{
Function: pulumi.String("main.reporting.udf"),
Principal: pulumi.String("Data Analysts"),
Privileges: pulumi.StringArray{
pulumi.String("EXECUTE"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Databricks = Pulumi.Databricks;
return await Deployment.RunAsync(() =>
{
var udfDataEngineers = new Databricks.Grant("udf_data_engineers", new()
{
Function = "main.reporting.udf",
Principal = "Data Engineers",
Privileges = new[]
{
"EXECUTE",
},
});
var udfDataAnalysts = new Databricks.Grant("udf_data_analysts", new()
{
Function = "main.reporting.udf",
Principal = "Data Analysts",
Privileges = new[]
{
"EXECUTE",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.databricks.Grant;
import com.pulumi.databricks.GrantArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var udfDataEngineers = new Grant("udfDataEngineers", GrantArgs.builder()
.function("main.reporting.udf")
.principal("Data Engineers")
.privileges("EXECUTE")
.build());
var udfDataAnalysts = new Grant("udfDataAnalysts", GrantArgs.builder()
.function("main.reporting.udf")
.principal("Data Analysts")
.privileges("EXECUTE")
.build());
}
}
resources:
udfDataEngineers:
type: databricks:Grant
name: udf_data_engineers
properties:
function: main.reporting.udf
principal: Data Engineers
privileges:
- EXECUTE
udfDataAnalysts:
type: databricks:Grant
name: udf_data_analysts
properties:
function: main.reporting.udf
principal: Data Analysts
privileges:
- EXECUTE
Storage credential grants
See databricks.Grants Storage credential grants for the list of privileges that apply to Storage credentials.
import * as pulumi from "@pulumi/pulumi";
import * as databricks from "@pulumi/databricks";
const external = new databricks.StorageCredential("external", {
name: externalDataAccess.name,
awsIamRole: {
roleArn: externalDataAccess.arn,
},
comment: "Managed by TF",
});
const externalCreds = new databricks.Grant("external_creds", {
storageCredential: external.id,
principal: "Data Engineers",
privileges: ["CREATE_EXTERNAL_TABLE"],
});
import pulumi
import pulumi_databricks as databricks
external = databricks.StorageCredential("external",
name=external_data_access["name"],
aws_iam_role={
"role_arn": external_data_access["arn"],
},
comment="Managed by TF")
external_creds = databricks.Grant("external_creds",
storage_credential=external.id,
principal="Data Engineers",
privileges=["CREATE_EXTERNAL_TABLE"])
package main
import (
"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
external, err := databricks.NewStorageCredential(ctx, "external", &databricks.StorageCredentialArgs{
Name: pulumi.Any(externalDataAccess.Name),
AwsIamRole: &databricks.StorageCredentialAwsIamRoleArgs{
RoleArn: pulumi.Any(externalDataAccess.Arn),
},
Comment: pulumi.String("Managed by TF"),
})
if err != nil {
return err
}
_, err = databricks.NewGrant(ctx, "external_creds", &databricks.GrantArgs{
StorageCredential: external.ID(),
Principal: pulumi.String("Data Engineers"),
Privileges: pulumi.StringArray{
pulumi.String("CREATE_EXTERNAL_TABLE"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Databricks = Pulumi.Databricks;
return await Deployment.RunAsync(() =>
{
var external = new Databricks.StorageCredential("external", new()
{
Name = externalDataAccess.Name,
AwsIamRole = new Databricks.Inputs.StorageCredentialAwsIamRoleArgs
{
RoleArn = externalDataAccess.Arn,
},
Comment = "Managed by TF",
});
var externalCreds = new Databricks.Grant("external_creds", new()
{
StorageCredential = external.Id,
Principal = "Data Engineers",
Privileges = new[]
{
"CREATE_EXTERNAL_TABLE",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.databricks.StorageCredential;
import com.pulumi.databricks.StorageCredentialArgs;
import com.pulumi.databricks.inputs.StorageCredentialAwsIamRoleArgs;
import com.pulumi.databricks.Grant;
import com.pulumi.databricks.GrantArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var external = new StorageCredential("external", StorageCredentialArgs.builder()
.name(externalDataAccess.name())
.awsIamRole(StorageCredentialAwsIamRoleArgs.builder()
.roleArn(externalDataAccess.arn())
.build())
.comment("Managed by TF")
.build());
var externalCreds = new Grant("externalCreds", GrantArgs.builder()
.storageCredential(external.id())
.principal("Data Engineers")
.privileges("CREATE_EXTERNAL_TABLE")
.build());
}
}
resources:
external:
type: databricks:StorageCredential
properties:
name: ${externalDataAccess.name}
awsIamRole:
roleArn: ${externalDataAccess.arn}
comment: Managed by TF
externalCreds:
type: databricks:Grant
name: external_creds
properties:
storageCredential: ${external.id}
principal: Data Engineers
privileges:
- CREATE_EXTERNAL_TABLE
External location grants
See databricks.Grants External location grants for the list of privileges that apply to External locations.
import * as pulumi from "@pulumi/pulumi";
import * as databricks from "@pulumi/databricks";
const some = new databricks.ExternalLocation("some", {
name: "external",
url: `s3://${externalAwsS3Bucket.id}/some`,
credentialName: external.id,
comment: "Managed by TF",
});
const someDataEngineers = new databricks.Grant("some_data_engineers", {
externalLocation: some.id,
principal: "Data Engineers",
privileges: [
"CREATE_EXTERNAL_TABLE",
"READ_FILES",
],
});
const someServicePrincipal = new databricks.Grant("some_service_principal", {
externalLocation: some.id,
principal: mySp.applicationId,
privileges: [
"USE_SCHEMA",
"MODIFY",
],
});
const someGroup = new databricks.Grant("some_group", {
externalLocation: some.id,
principal: myGroup.displayName,
privileges: [
"USE_SCHEMA",
"MODIFY",
],
});
const someUser = new databricks.Grant("some_user", {
externalLocation: some.id,
principal: myUser.userName,
privileges: [
"USE_SCHEMA",
"MODIFY",
],
});
import pulumi
import pulumi_databricks as databricks
some = databricks.ExternalLocation("some",
name="external",
url=f"s3://{external_aws_s3_bucket['id']}/some",
credential_name=external["id"],
comment="Managed by TF")
some_data_engineers = databricks.Grant("some_data_engineers",
external_location=some.id,
principal="Data Engineers",
privileges=[
"CREATE_EXTERNAL_TABLE",
"READ_FILES",
])
some_service_principal = databricks.Grant("some_service_principal",
external_location=some.id,
principal=my_sp["applicationId"],
privileges=[
"USE_SCHEMA",
"MODIFY",
])
some_group = databricks.Grant("some_group",
external_location=some.id,
principal=my_group["displayName"],
privileges=[
"USE_SCHEMA",
"MODIFY",
])
some_user = databricks.Grant("some_user",
external_location=some.id,
principal=my_user["userName"],
privileges=[
"USE_SCHEMA",
"MODIFY",
])
package main
import (
"fmt"
"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
some, err := databricks.NewExternalLocation(ctx, "some", &databricks.ExternalLocationArgs{
Name: pulumi.String("external"),
Url: pulumi.Sprintf("s3://%v/some", externalAwsS3Bucket.Id),
CredentialName: pulumi.Any(external.Id),
Comment: pulumi.String("Managed by TF"),
})
if err != nil {
return err
}
_, err = databricks.NewGrant(ctx, "some_data_engineers", &databricks.GrantArgs{
ExternalLocation: some.ID(),
Principal: pulumi.String("Data Engineers"),
Privileges: pulumi.StringArray{
pulumi.String("CREATE_EXTERNAL_TABLE"),
pulumi.String("READ_FILES"),
},
})
if err != nil {
return err
}
_, err = databricks.NewGrant(ctx, "some_service_principal", &databricks.GrantArgs{
ExternalLocation: some.ID(),
Principal: pulumi.Any(mySp.ApplicationId),
Privileges: pulumi.StringArray{
pulumi.String("USE_SCHEMA"),
pulumi.String("MODIFY"),
},
})
if err != nil {
return err
}
_, err = databricks.NewGrant(ctx, "some_group", &databricks.GrantArgs{
ExternalLocation: some.ID(),
Principal: pulumi.Any(myGroup.DisplayName),
Privileges: pulumi.StringArray{
pulumi.String("USE_SCHEMA"),
pulumi.String("MODIFY"),
},
})
if err != nil {
return err
}
_, err = databricks.NewGrant(ctx, "some_user", &databricks.GrantArgs{
ExternalLocation: some.ID(),
Principal: pulumi.Any(myUser.UserName),
Privileges: pulumi.StringArray{
pulumi.String("USE_SCHEMA"),
pulumi.String("MODIFY"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Databricks = Pulumi.Databricks;
return await Deployment.RunAsync(() =>
{
var some = new Databricks.ExternalLocation("some", new()
{
Name = "external",
Url = $"s3://{externalAwsS3Bucket.Id}/some",
CredentialName = external.Id,
Comment = "Managed by TF",
});
var someDataEngineers = new Databricks.Grant("some_data_engineers", new()
{
ExternalLocation = some.Id,
Principal = "Data Engineers",
Privileges = new[]
{
"CREATE_EXTERNAL_TABLE",
"READ_FILES",
},
});
var someServicePrincipal = new Databricks.Grant("some_service_principal", new()
{
ExternalLocation = some.Id,
Principal = mySp.ApplicationId,
Privileges = new[]
{
"USE_SCHEMA",
"MODIFY",
},
});
var someGroup = new Databricks.Grant("some_group", new()
{
ExternalLocation = some.Id,
Principal = myGroup.DisplayName,
Privileges = new[]
{
"USE_SCHEMA",
"MODIFY",
},
});
var someUser = new Databricks.Grant("some_user", new()
{
ExternalLocation = some.Id,
Principal = myUser.UserName,
Privileges = new[]
{
"USE_SCHEMA",
"MODIFY",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.databricks.ExternalLocation;
import com.pulumi.databricks.ExternalLocationArgs;
import com.pulumi.databricks.Grant;
import com.pulumi.databricks.GrantArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var some = new ExternalLocation("some", ExternalLocationArgs.builder()
.name("external")
.url(String.format("s3://%s/some", externalAwsS3Bucket.id()))
.credentialName(external.id())
.comment("Managed by TF")
.build());
var someDataEngineers = new Grant("someDataEngineers", GrantArgs.builder()
.externalLocation(some.id())
.principal("Data Engineers")
.privileges(
"CREATE_EXTERNAL_TABLE",
"READ_FILES")
.build());
var someServicePrincipal = new Grant("someServicePrincipal", GrantArgs.builder()
.externalLocation(some.id())
.principal(mySp.applicationId())
.privileges(
"USE_SCHEMA",
"MODIFY")
.build());
var someGroup = new Grant("someGroup", GrantArgs.builder()
.externalLocation(some.id())
.principal(myGroup.displayName())
.privileges(
"USE_SCHEMA",
"MODIFY")
.build());
var someUser = new Grant("someUser", GrantArgs.builder()
.externalLocation(some.id())
.principal(myUser.userName())
.privileges(
"USE_SCHEMA",
"MODIFY")
.build());
}
}
resources:
some:
type: databricks:ExternalLocation
properties:
name: external
url: s3://${externalAwsS3Bucket.id}/some
credentialName: ${external.id}
comment: Managed by TF
someDataEngineers:
type: databricks:Grant
name: some_data_engineers
properties:
externalLocation: ${some.id}
principal: Data Engineers
privileges:
- CREATE_EXTERNAL_TABLE
- READ_FILES
someServicePrincipal:
type: databricks:Grant
name: some_service_principal
properties:
externalLocation: ${some.id}
principal: ${mySp.applicationId}
privileges:
- USE_SCHEMA
- MODIFY
someGroup:
type: databricks:Grant
name: some_group
properties:
externalLocation: ${some.id}
principal: ${myGroup.displayName}
privileges:
- USE_SCHEMA
- MODIFY
someUser:
type: databricks:Grant
name: some_user
properties:
externalLocation: ${some.id}
principal: ${myUser.userName}
privileges:
- USE_SCHEMA
- MODIFY
Connection grants
See databricks.Grants Connection grants for the list of privileges that apply to Connections.
import * as pulumi from "@pulumi/pulumi";
import * as databricks from "@pulumi/databricks";
const mysql = new databricks.Connection("mysql", {
name: "mysql_connection",
connectionType: "MYSQL",
comment: "this is a connection to mysql db",
options: {
host: "test.mysql.database.azure.com",
port: "3306",
user: "user",
password: "password",
},
properties: {
purpose: "testing",
},
});
const some = new databricks.Grant("some", {
foreignConnection: mysql.name,
principal: "Data Engineers",
privileges: [
"CREATE_FOREIGN_CATALOG",
"USE_CONNECTION",
],
});
import pulumi
import pulumi_databricks as databricks
mysql = databricks.Connection("mysql",
name="mysql_connection",
connection_type="MYSQL",
comment="this is a connection to mysql db",
options={
"host": "test.mysql.database.azure.com",
"port": "3306",
"user": "user",
"password": "password",
},
properties={
"purpose": "testing",
})
some = databricks.Grant("some",
foreign_connection=mysql.name,
principal="Data Engineers",
privileges=[
"CREATE_FOREIGN_CATALOG",
"USE_CONNECTION",
])
package main
import (
"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
mysql, err := databricks.NewConnection(ctx, "mysql", &databricks.ConnectionArgs{
Name: pulumi.String("mysql_connection"),
ConnectionType: pulumi.String("MYSQL"),
Comment: pulumi.String("this is a connection to mysql db"),
Options: pulumi.StringMap{
"host": pulumi.String("test.mysql.database.azure.com"),
"port": pulumi.String("3306"),
"user": pulumi.String("user"),
"password": pulumi.String("password"),
},
Properties: pulumi.StringMap{
"purpose": pulumi.String("testing"),
},
})
if err != nil {
return err
}
_, err = databricks.NewGrant(ctx, "some", &databricks.GrantArgs{
ForeignConnection: mysql.Name,
Principal: pulumi.String("Data Engineers"),
Privileges: pulumi.StringArray{
pulumi.String("CREATE_FOREIGN_CATALOG"),
pulumi.String("USE_CONNECTION"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Databricks = Pulumi.Databricks;
return await Deployment.RunAsync(() =>
{
var mysql = new Databricks.Connection("mysql", new()
{
Name = "mysql_connection",
ConnectionType = "MYSQL",
Comment = "this is a connection to mysql db",
Options =
{
{ "host", "test.mysql.database.azure.com" },
{ "port", "3306" },
{ "user", "user" },
{ "password", "password" },
},
Properties =
{
{ "purpose", "testing" },
},
});
var some = new Databricks.Grant("some", new()
{
ForeignConnection = mysql.Name,
Principal = "Data Engineers",
Privileges = new[]
{
"CREATE_FOREIGN_CATALOG",
"USE_CONNECTION",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.databricks.Connection;
import com.pulumi.databricks.ConnectionArgs;
import com.pulumi.databricks.Grant;
import com.pulumi.databricks.GrantArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var mysql = new Connection("mysql", ConnectionArgs.builder()
.name("mysql_connection")
.connectionType("MYSQL")
.comment("this is a connection to mysql db")
.options(Map.ofEntries(
Map.entry("host", "test.mysql.database.azure.com"),
Map.entry("port", "3306"),
Map.entry("user", "user"),
Map.entry("password", "password")
))
.properties(Map.of("purpose", "testing"))
.build());
var some = new Grant("some", GrantArgs.builder()
.foreignConnection(mysql.name())
.principal("Data Engineers")
.privileges(
"CREATE_FOREIGN_CATALOG",
"USE_CONNECTION")
.build());
}
}
resources:
mysql:
type: databricks:Connection
properties:
name: mysql_connection
connectionType: MYSQL
comment: this is a connection to mysql db
options:
host: test.mysql.database.azure.com
port: '3306'
user: user
password: password
properties:
purpose: testing
some:
type: databricks:Grant
properties:
foreignConnection: ${mysql.name}
principal: Data Engineers
privileges:
- CREATE_FOREIGN_CATALOG
- USE_CONNECTION
Delta Sharing share grants
See databricks.Grants Delta Sharing share grants for the list of privileges that apply to Delta Sharing shares.
import * as pulumi from "@pulumi/pulumi";
import * as databricks from "@pulumi/databricks";
const some = new databricks.Share("some", {name: "my_share"});
const someRecipient = new databricks.Recipient("some", {name: "my_recipient"});
const someGrant = new databricks.Grant("some", {
share: some.name,
principal: someRecipient.name,
privileges: ["SELECT"],
});
import pulumi
import pulumi_databricks as databricks
some = databricks.Share("some", name="my_share")
some_recipient = databricks.Recipient("some", name="my_recipient")
some_grant = databricks.Grant("some",
share=some.name,
principal=some_recipient.name,
privileges=["SELECT"])
package main
import (
"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
some, err := databricks.NewShare(ctx, "some", &databricks.ShareArgs{
Name: pulumi.String("my_share"),
})
if err != nil {
return err
}
someRecipient, err := databricks.NewRecipient(ctx, "some", &databricks.RecipientArgs{
Name: pulumi.String("my_recipient"),
})
if err != nil {
return err
}
_, err = databricks.NewGrant(ctx, "some", &databricks.GrantArgs{
Share: some.Name,
Principal: someRecipient.Name,
Privileges: pulumi.StringArray{
pulumi.String("SELECT"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Databricks = Pulumi.Databricks;
return await Deployment.RunAsync(() =>
{
var some = new Databricks.Share("some", new()
{
Name = "my_share",
});
var someRecipient = new Databricks.Recipient("some", new()
{
Name = "my_recipient",
});
var someGrant = new Databricks.Grant("some", new()
{
Share = some.Name,
Principal = someRecipient.Name,
Privileges = new[]
{
"SELECT",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.databricks.Share;
import com.pulumi.databricks.ShareArgs;
import com.pulumi.databricks.Recipient;
import com.pulumi.databricks.RecipientArgs;
import com.pulumi.databricks.Grant;
import com.pulumi.databricks.GrantArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var some = new Share("some", ShareArgs.builder()
.name("my_share")
.build());
var someRecipient = new Recipient("someRecipient", RecipientArgs.builder()
.name("my_recipient")
.build());
var someGrant = new Grant("someGrant", GrantArgs.builder()
.share(some.name())
.principal(someRecipient.name())
.privileges("SELECT")
.build());
}
}
resources:
some:
type: databricks:Share
properties:
name: my_share
someRecipient:
type: databricks:Recipient
name: some
properties:
name: my_recipient
someGrant:
type: databricks:Grant
name: some
properties:
share: ${some.name}
principal: ${someRecipient.name}
privileges:
- SELECT
Other access control
You can control Databricks General Permissions through databricks.Permissions resource.
Create Grant Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Grant(name: string, args: GrantArgs, opts?: CustomResourceOptions);@overload
def Grant(resource_name: str,
args: GrantArgs,
opts: Optional[ResourceOptions] = None)
@overload
def Grant(resource_name: str,
opts: Optional[ResourceOptions] = None,
principal: Optional[str] = None,
privileges: Optional[Sequence[str]] = None,
pipeline: Optional[str] = None,
function: Optional[str] = None,
metastore: Optional[str] = None,
model: Optional[str] = None,
catalog: Optional[str] = None,
foreign_connection: Optional[str] = None,
external_location: Optional[str] = None,
recipient: Optional[str] = None,
schema: Optional[str] = None,
share: Optional[str] = None,
storage_credential: Optional[str] = None,
table: Optional[str] = None,
volume: Optional[str] = None)func NewGrant(ctx *Context, name string, args GrantArgs, opts ...ResourceOption) (*Grant, error)public Grant(string name, GrantArgs args, CustomResourceOptions? opts = null)type: databricks:Grant
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args GrantArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args GrantArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args GrantArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args GrantArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args GrantArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var grantResource = new Databricks.Grant("grantResource", new()
{
Principal = "string",
Privileges = new[]
{
"string",
},
Pipeline = "string",
Function = "string",
Metastore = "string",
Model = "string",
Catalog = "string",
ForeignConnection = "string",
ExternalLocation = "string",
Recipient = "string",
Schema = "string",
Share = "string",
StorageCredential = "string",
Table = "string",
Volume = "string",
});
example, err := databricks.NewGrant(ctx, "grantResource", &databricks.GrantArgs{
Principal: pulumi.String("string"),
Privileges: pulumi.StringArray{
pulumi.String("string"),
},
Pipeline: pulumi.String("string"),
Function: pulumi.String("string"),
Metastore: pulumi.String("string"),
Model: pulumi.String("string"),
Catalog: pulumi.String("string"),
ForeignConnection: pulumi.String("string"),
ExternalLocation: pulumi.String("string"),
Recipient: pulumi.String("string"),
Schema: pulumi.String("string"),
Share: pulumi.String("string"),
StorageCredential: pulumi.String("string"),
Table: pulumi.String("string"),
Volume: pulumi.String("string"),
})
var grantResource = new Grant("grantResource", GrantArgs.builder()
.principal("string")
.privileges("string")
.pipeline("string")
.function("string")
.metastore("string")
.model("string")
.catalog("string")
.foreignConnection("string")
.externalLocation("string")
.recipient("string")
.schema("string")
.share("string")
.storageCredential("string")
.table("string")
.volume("string")
.build());
grant_resource = databricks.Grant("grantResource",
principal="string",
privileges=["string"],
pipeline="string",
function="string",
metastore="string",
model="string",
catalog="string",
foreign_connection="string",
external_location="string",
recipient="string",
schema="string",
share="string",
storage_credential="string",
table="string",
volume="string")
const grantResource = new databricks.Grant("grantResource", {
principal: "string",
privileges: ["string"],
pipeline: "string",
"function": "string",
metastore: "string",
model: "string",
catalog: "string",
foreignConnection: "string",
externalLocation: "string",
recipient: "string",
schema: "string",
share: "string",
storageCredential: "string",
table: "string",
volume: "string",
});
type: databricks:Grant
properties:
catalog: string
externalLocation: string
foreignConnection: string
function: string
metastore: string
model: string
pipeline: string
principal: string
privileges:
- string
recipient: string
schema: string
share: string
storageCredential: string
table: string
volume: string
Grant Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The Grant resource accepts the following input properties:
- Principal string
- Privileges List<string>
- Catalog string
- External
Location string - Foreign
Connection string - Function string
- Metastore string
- Model string
- Pipeline string
- Recipient string
- Schema string
- string
- Storage
Credential string - Table string
- Volume string
- Principal string
- Privileges []string
- Catalog string
- External
Location string - Foreign
Connection string - Function string
- Metastore string
- Model string
- Pipeline string
- Recipient string
- Schema string
- string
- Storage
Credential string - Table string
- Volume string
- principal String
- privileges List<String>
- catalog String
- external
Location String - foreign
Connection String - function String
- metastore String
- model String
- pipeline String
- recipient String
- schema String
- String
- storage
Credential String - table String
- volume String
- principal string
- privileges string[]
- catalog string
- external
Location string - foreign
Connection string - function string
- metastore string
- model string
- pipeline string
- recipient string
- schema string
- string
- storage
Credential string - table string
- volume string
- principal str
- privileges Sequence[str]
- catalog str
- external_
location str - foreign_
connection str - function str
- metastore str
- model str
- pipeline str
- recipient str
- schema str
- str
- storage_
credential str - table str
- volume str
- principal String
- privileges List<String>
- catalog String
- external
Location String - foreign
Connection String - function String
- metastore String
- model String
- pipeline String
- recipient String
- schema String
- String
- storage
Credential String - table String
- volume String
Outputs
All input properties are implicitly available as output properties. Additionally, the Grant resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing Grant Resource
Get an existing Grant resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: GrantState, opts?: CustomResourceOptions): Grant@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
catalog: Optional[str] = None,
external_location: Optional[str] = None,
foreign_connection: Optional[str] = None,
function: Optional[str] = None,
metastore: Optional[str] = None,
model: Optional[str] = None,
pipeline: Optional[str] = None,
principal: Optional[str] = None,
privileges: Optional[Sequence[str]] = None,
recipient: Optional[str] = None,
schema: Optional[str] = None,
share: Optional[str] = None,
storage_credential: Optional[str] = None,
table: Optional[str] = None,
volume: Optional[str] = None) -> Grantfunc GetGrant(ctx *Context, name string, id IDInput, state *GrantState, opts ...ResourceOption) (*Grant, error)public static Grant Get(string name, Input<string> id, GrantState? state, CustomResourceOptions? opts = null)public static Grant get(String name, Output<String> id, GrantState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Catalog string
- External
Location string - Foreign
Connection string - Function string
- Metastore string
- Model string
- Pipeline string
- Principal string
- Privileges List<string>
- Recipient string
- Schema string
- string
- Storage
Credential string - Table string
- Volume string
- Catalog string
- External
Location string - Foreign
Connection string - Function string
- Metastore string
- Model string
- Pipeline string
- Principal string
- Privileges []string
- Recipient string
- Schema string
- string
- Storage
Credential string - Table string
- Volume string
- catalog String
- external
Location String - foreign
Connection String - function String
- metastore String
- model String
- pipeline String
- principal String
- privileges List<String>
- recipient String
- schema String
- String
- storage
Credential String - table String
- volume String
- catalog string
- external
Location string - foreign
Connection string - function string
- metastore string
- model string
- pipeline string
- principal string
- privileges string[]
- recipient string
- schema string
- string
- storage
Credential string - table string
- volume string
- catalog str
- external_
location str - foreign_
connection str - function str
- metastore str
- model str
- pipeline str
- principal str
- privileges Sequence[str]
- recipient str
- schema str
- str
- storage_
credential str - table str
- volume str
- catalog String
- external
Location String - foreign
Connection String - function String
- metastore String
- model String
- pipeline String
- principal String
- privileges List<String>
- recipient String
- schema String
- String
- storage
Credential String - table String
- volume String
Import
The resource can be imported using combination of securable type (table, catalog, foreign_connection, …), it’s name and principal:
bash
$ pulumi import databricks:index/grant:Grant this catalog/abc/user_name
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- databricks pulumi/pulumi-databricks
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
databricksTerraform Provider.