1. Packages
  2. Databricks
  3. API Docs
  4. MwsCustomerManagedKeys
Databricks v1.56.0 published on Tuesday, Nov 12, 2024 by Pulumi

databricks.MwsCustomerManagedKeys

Explore with Pulumi AI

databricks logo
Databricks v1.56.0 published on Tuesday, Nov 12, 2024 by Pulumi

    Example Usage

    If you’ve used the resource before, please add use_cases = ["MANAGED_SERVICES"] to keep the previous behaviour.

    Customer-managed key for managed services

    You must configure this during workspace creation

    For AWS

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    import * as databricks from "@pulumi/databricks";
    
    const config = new pulumi.Config();
    // Account Id that could be found in the top right corner of https://accounts.cloud.databricks.com/
    const databricksAccountId = config.requireObject("databricksAccountId");
    const current = aws.getCallerIdentity({});
    const databricksManagedServicesCmk = current.then(current => aws.iam.getPolicyDocument({
        version: "2012-10-17",
        statements: [
            {
                sid: "Enable IAM User Permissions",
                effect: "Allow",
                principals: [{
                    type: "AWS",
                    identifiers: [current.accountId],
                }],
                actions: ["kms:*"],
                resources: ["*"],
            },
            {
                sid: "Allow Databricks to use KMS key for control plane managed services",
                effect: "Allow",
                principals: [{
                    type: "AWS",
                    identifiers: ["arn:aws:iam::414351767826:root"],
                }],
                actions: [
                    "kms:Encrypt",
                    "kms:Decrypt",
                ],
                resources: ["*"],
            },
        ],
    }));
    const managedServicesCustomerManagedKey = new aws.kms.Key("managed_services_customer_managed_key", {policy: databricksManagedServicesCmk.then(databricksManagedServicesCmk => databricksManagedServicesCmk.json)});
    const managedServicesCustomerManagedKeyAlias = new aws.kms.Alias("managed_services_customer_managed_key_alias", {
        name: "alias/managed-services-customer-managed-key-alias",
        targetKeyId: managedServicesCustomerManagedKey.keyId,
    });
    const managedServices = new databricks.MwsCustomerManagedKeys("managed_services", {
        accountId: databricksAccountId,
        awsKeyInfo: {
            keyArn: managedServicesCustomerManagedKey.arn,
            keyAlias: managedServicesCustomerManagedKeyAlias.name,
        },
        useCases: ["MANAGED_SERVICES"],
    });
    
    import pulumi
    import pulumi_aws as aws
    import pulumi_databricks as databricks
    
    config = pulumi.Config()
    # Account Id that could be found in the top right corner of https://accounts.cloud.databricks.com/
    databricks_account_id = config.require_object("databricksAccountId")
    current = aws.get_caller_identity()
    databricks_managed_services_cmk = aws.iam.get_policy_document(version="2012-10-17",
        statements=[
            {
                "sid": "Enable IAM User Permissions",
                "effect": "Allow",
                "principals": [{
                    "type": "AWS",
                    "identifiers": [current.account_id],
                }],
                "actions": ["kms:*"],
                "resources": ["*"],
            },
            {
                "sid": "Allow Databricks to use KMS key for control plane managed services",
                "effect": "Allow",
                "principals": [{
                    "type": "AWS",
                    "identifiers": ["arn:aws:iam::414351767826:root"],
                }],
                "actions": [
                    "kms:Encrypt",
                    "kms:Decrypt",
                ],
                "resources": ["*"],
            },
        ])
    managed_services_customer_managed_key = aws.kms.Key("managed_services_customer_managed_key", policy=databricks_managed_services_cmk.json)
    managed_services_customer_managed_key_alias = aws.kms.Alias("managed_services_customer_managed_key_alias",
        name="alias/managed-services-customer-managed-key-alias",
        target_key_id=managed_services_customer_managed_key.key_id)
    managed_services = databricks.MwsCustomerManagedKeys("managed_services",
        account_id=databricks_account_id,
        aws_key_info={
            "key_arn": managed_services_customer_managed_key.arn,
            "key_alias": managed_services_customer_managed_key_alias.name,
        },
        use_cases=["MANAGED_SERVICES"])
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
    	"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config"
    )
    func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
    cfg := config.New(ctx, "")
    // Account Id that could be found in the top right corner of https://accounts.cloud.databricks.com/
    databricksAccountId := cfg.RequireObject("databricksAccountId")
    current, err := aws.GetCallerIdentity(ctx, &aws.GetCallerIdentityArgs{
    }, nil);
    if err != nil {
    return err
    }
    databricksManagedServicesCmk, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Version: pulumi.StringRef("2012-10-17"),
    Statements: []iam.GetPolicyDocumentStatement{
    {
    Sid: pulumi.StringRef("Enable IAM User Permissions"),
    Effect: pulumi.StringRef("Allow"),
    Principals: []iam.GetPolicyDocumentStatementPrincipal{
    {
    Type: "AWS",
    Identifiers: interface{}{
    current.AccountId,
    },
    },
    },
    Actions: []string{
    "kms:*",
    },
    Resources: []string{
    "*",
    },
    },
    {
    Sid: pulumi.StringRef("Allow Databricks to use KMS key for control plane managed services"),
    Effect: pulumi.StringRef("Allow"),
    Principals: []iam.GetPolicyDocumentStatementPrincipal{
    {
    Type: "AWS",
    Identifiers: []string{
    "arn:aws:iam::414351767826:root",
    },
    },
    },
    Actions: []string{
    "kms:Encrypt",
    "kms:Decrypt",
    },
    Resources: []string{
    "*",
    },
    },
    },
    }, nil);
    if err != nil {
    return err
    }
    managedServicesCustomerManagedKey, err := kms.NewKey(ctx, "managed_services_customer_managed_key", &kms.KeyArgs{
    Policy: pulumi.String(databricksManagedServicesCmk.Json),
    })
    if err != nil {
    return err
    }
    managedServicesCustomerManagedKeyAlias, err := kms.NewAlias(ctx, "managed_services_customer_managed_key_alias", &kms.AliasArgs{
    Name: pulumi.String("alias/managed-services-customer-managed-key-alias"),
    TargetKeyId: managedServicesCustomerManagedKey.KeyId,
    })
    if err != nil {
    return err
    }
    _, err = databricks.NewMwsCustomerManagedKeys(ctx, "managed_services", &databricks.MwsCustomerManagedKeysArgs{
    AccountId: pulumi.Any(databricksAccountId),
    AwsKeyInfo: &databricks.MwsCustomerManagedKeysAwsKeyInfoArgs{
    KeyArn: managedServicesCustomerManagedKey.Arn,
    KeyAlias: managedServicesCustomerManagedKeyAlias.Name,
    },
    UseCases: pulumi.StringArray{
    pulumi.String("MANAGED_SERVICES"),
    },
    })
    if err != nil {
    return err
    }
    return nil
    })
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    using Databricks = Pulumi.Databricks;
    
    return await Deployment.RunAsync(() => 
    {
        var config = new Config();
        // Account Id that could be found in the top right corner of https://accounts.cloud.databricks.com/
        var databricksAccountId = config.RequireObject<dynamic>("databricksAccountId");
        var current = Aws.GetCallerIdentity.Invoke();
    
        var databricksManagedServicesCmk = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Version = "2012-10-17",
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "Enable IAM User Permissions",
                    Effect = "Allow",
                    Principals = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                        {
                            Type = "AWS",
                            Identifiers = new[]
                            {
                                current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId),
                            },
                        },
                    },
                    Actions = new[]
                    {
                        "kms:*",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "Allow Databricks to use KMS key for control plane managed services",
                    Effect = "Allow",
                    Principals = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                        {
                            Type = "AWS",
                            Identifiers = new[]
                            {
                                "arn:aws:iam::414351767826:root",
                            },
                        },
                    },
                    Actions = new[]
                    {
                        "kms:Encrypt",
                        "kms:Decrypt",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
            },
        });
    
        var managedServicesCustomerManagedKey = new Aws.Kms.Key("managed_services_customer_managed_key", new()
        {
            Policy = databricksManagedServicesCmk.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
        });
    
        var managedServicesCustomerManagedKeyAlias = new Aws.Kms.Alias("managed_services_customer_managed_key_alias", new()
        {
            Name = "alias/managed-services-customer-managed-key-alias",
            TargetKeyId = managedServicesCustomerManagedKey.KeyId,
        });
    
        var managedServices = new Databricks.MwsCustomerManagedKeys("managed_services", new()
        {
            AccountId = databricksAccountId,
            AwsKeyInfo = new Databricks.Inputs.MwsCustomerManagedKeysAwsKeyInfoArgs
            {
                KeyArn = managedServicesCustomerManagedKey.Arn,
                KeyAlias = managedServicesCustomerManagedKeyAlias.Name,
            },
            UseCases = new[]
            {
                "MANAGED_SERVICES",
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.AwsFunctions;
    import com.pulumi.aws.inputs.GetCallerIdentityArgs;
    import com.pulumi.aws.iam.IamFunctions;
    import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
    import com.pulumi.aws.kms.Key;
    import com.pulumi.aws.kms.KeyArgs;
    import com.pulumi.aws.kms.Alias;
    import com.pulumi.aws.kms.AliasArgs;
    import com.pulumi.databricks.MwsCustomerManagedKeys;
    import com.pulumi.databricks.MwsCustomerManagedKeysArgs;
    import com.pulumi.databricks.inputs.MwsCustomerManagedKeysAwsKeyInfoArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var config = ctx.config();
            final var databricksAccountId = config.get("databricksAccountId");
            final var current = AwsFunctions.getCallerIdentity();
    
            final var databricksManagedServicesCmk = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .version("2012-10-17")
                .statements(            
                    GetPolicyDocumentStatementArgs.builder()
                        .sid("Enable IAM User Permissions")
                        .effect("Allow")
                        .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                            .type("AWS")
                            .identifiers(current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId()))
                            .build())
                        .actions("kms:*")
                        .resources("*")
                        .build(),
                    GetPolicyDocumentStatementArgs.builder()
                        .sid("Allow Databricks to use KMS key for control plane managed services")
                        .effect("Allow")
                        .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                            .type("AWS")
                            .identifiers("arn:aws:iam::414351767826:root")
                            .build())
                        .actions(                    
                            "kms:Encrypt",
                            "kms:Decrypt")
                        .resources("*")
                        .build())
                .build());
    
            var managedServicesCustomerManagedKey = new Key("managedServicesCustomerManagedKey", KeyArgs.builder()
                .policy(databricksManagedServicesCmk.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
                .build());
    
            var managedServicesCustomerManagedKeyAlias = new Alias("managedServicesCustomerManagedKeyAlias", AliasArgs.builder()
                .name("alias/managed-services-customer-managed-key-alias")
                .targetKeyId(managedServicesCustomerManagedKey.keyId())
                .build());
    
            var managedServices = new MwsCustomerManagedKeys("managedServices", MwsCustomerManagedKeysArgs.builder()
                .accountId(databricksAccountId)
                .awsKeyInfo(MwsCustomerManagedKeysAwsKeyInfoArgs.builder()
                    .keyArn(managedServicesCustomerManagedKey.arn())
                    .keyAlias(managedServicesCustomerManagedKeyAlias.name())
                    .build())
                .useCases("MANAGED_SERVICES")
                .build());
    
        }
    }
    
    configuration:
      databricksAccountId:
        type: dynamic
    resources:
      managedServicesCustomerManagedKey:
        type: aws:kms:Key
        name: managed_services_customer_managed_key
        properties:
          policy: ${databricksManagedServicesCmk.json}
      managedServicesCustomerManagedKeyAlias:
        type: aws:kms:Alias
        name: managed_services_customer_managed_key_alias
        properties:
          name: alias/managed-services-customer-managed-key-alias
          targetKeyId: ${managedServicesCustomerManagedKey.keyId}
      managedServices:
        type: databricks:MwsCustomerManagedKeys
        name: managed_services
        properties:
          accountId: ${databricksAccountId}
          awsKeyInfo:
            keyArn: ${managedServicesCustomerManagedKey.arn}
            keyAlias: ${managedServicesCustomerManagedKeyAlias.name}
          useCases:
            - MANAGED_SERVICES
    variables:
      current:
        fn::invoke:
          Function: aws:getCallerIdentity
          Arguments: {}
      databricksManagedServicesCmk:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            version: 2012-10-17
            statements:
              - sid: Enable IAM User Permissions
                effect: Allow
                principals:
                  - type: AWS
                    identifiers:
                      - ${current.accountId}
                actions:
                  - kms:*
                resources:
                  - '*'
              - sid: Allow Databricks to use KMS key for control plane managed services
                effect: Allow
                principals:
                  - type: AWS
                    identifiers:
                      - arn:aws:iam::414351767826:root
                actions:
                  - kms:Encrypt
                  - kms:Decrypt
                resources:
                  - '*'
    

    For GCP

    import * as pulumi from "@pulumi/pulumi";
    import * as databricks from "@pulumi/databricks";
    
    const config = new pulumi.Config();
    // Account Id that could be found in the top right corner of https://accounts.gcp.databricks.com/
    const databricksAccountId = config.requireObject("databricksAccountId");
    // Id of a google_kms_crypto_key
    const cmekResourceId = config.requireObject("cmekResourceId");
    const managedServices = new databricks.MwsCustomerManagedKeys("managed_services", {
        accountId: databricksAccountId,
        gcpKeyInfo: {
            kmsKeyId: cmekResourceId,
        },
        useCases: ["MANAGED_SERVICES"],
    });
    
    import pulumi
    import pulumi_databricks as databricks
    
    config = pulumi.Config()
    # Account Id that could be found in the top right corner of https://accounts.gcp.databricks.com/
    databricks_account_id = config.require_object("databricksAccountId")
    # Id of a google_kms_crypto_key
    cmek_resource_id = config.require_object("cmekResourceId")
    managed_services = databricks.MwsCustomerManagedKeys("managed_services",
        account_id=databricks_account_id,
        gcp_key_info={
            "kms_key_id": cmek_resource_id,
        },
        use_cases=["MANAGED_SERVICES"])
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		cfg := config.New(ctx, "")
    		// Account Id that could be found in the top right corner of https://accounts.gcp.databricks.com/
    		databricksAccountId := cfg.RequireObject("databricksAccountId")
    		// Id of a google_kms_crypto_key
    		cmekResourceId := cfg.RequireObject("cmekResourceId")
    		_, err := databricks.NewMwsCustomerManagedKeys(ctx, "managed_services", &databricks.MwsCustomerManagedKeysArgs{
    			AccountId: pulumi.Any(databricksAccountId),
    			GcpKeyInfo: &databricks.MwsCustomerManagedKeysGcpKeyInfoArgs{
    				KmsKeyId: pulumi.Any(cmekResourceId),
    			},
    			UseCases: pulumi.StringArray{
    				pulumi.String("MANAGED_SERVICES"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Databricks = Pulumi.Databricks;
    
    return await Deployment.RunAsync(() => 
    {
        var config = new Config();
        // Account Id that could be found in the top right corner of https://accounts.gcp.databricks.com/
        var databricksAccountId = config.RequireObject<dynamic>("databricksAccountId");
        // Id of a google_kms_crypto_key
        var cmekResourceId = config.RequireObject<dynamic>("cmekResourceId");
        var managedServices = new Databricks.MwsCustomerManagedKeys("managed_services", new()
        {
            AccountId = databricksAccountId,
            GcpKeyInfo = new Databricks.Inputs.MwsCustomerManagedKeysGcpKeyInfoArgs
            {
                KmsKeyId = cmekResourceId,
            },
            UseCases = new[]
            {
                "MANAGED_SERVICES",
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.databricks.MwsCustomerManagedKeys;
    import com.pulumi.databricks.MwsCustomerManagedKeysArgs;
    import com.pulumi.databricks.inputs.MwsCustomerManagedKeysGcpKeyInfoArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var config = ctx.config();
            final var databricksAccountId = config.get("databricksAccountId");
            final var cmekResourceId = config.get("cmekResourceId");
            var managedServices = new MwsCustomerManagedKeys("managedServices", MwsCustomerManagedKeysArgs.builder()
                .accountId(databricksAccountId)
                .gcpKeyInfo(MwsCustomerManagedKeysGcpKeyInfoArgs.builder()
                    .kmsKeyId(cmekResourceId)
                    .build())
                .useCases("MANAGED_SERVICES")
                .build());
    
        }
    }
    
    configuration:
      databricksAccountId:
        type: dynamic
      cmekResourceId:
        type: dynamic
    resources:
      managedServices:
        type: databricks:MwsCustomerManagedKeys
        name: managed_services
        properties:
          accountId: ${databricksAccountId}
          gcpKeyInfo:
            kmsKeyId: ${cmekResourceId}
          useCases:
            - MANAGED_SERVICES
    

    Customer-managed key for workspace storage

    For AWS

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    import * as databricks from "@pulumi/databricks";
    
    const config = new pulumi.Config();
    // Account Id that could be found in the top right corner of https://accounts.cloud.databricks.com/
    const databricksAccountId = config.requireObject("databricksAccountId");
    // AWS ARN for the Databricks cross account role
    const databricksCrossAccountRole = config.requireObject("databricksCrossAccountRole");
    const current = aws.getCallerIdentity({});
    const databricksStorageCmk = current.then(current => aws.iam.getPolicyDocument({
        version: "2012-10-17",
        statements: [
            {
                sid: "Enable IAM User Permissions",
                effect: "Allow",
                principals: [{
                    type: "AWS",
                    identifiers: [current.accountId],
                }],
                actions: ["kms:*"],
                resources: ["*"],
            },
            {
                sid: "Allow Databricks to use KMS key for DBFS",
                effect: "Allow",
                principals: [{
                    type: "AWS",
                    identifiers: ["arn:aws:iam::414351767826:root"],
                }],
                actions: [
                    "kms:Encrypt",
                    "kms:Decrypt",
                    "kms:ReEncrypt*",
                    "kms:GenerateDataKey*",
                    "kms:DescribeKey",
                ],
                resources: ["*"],
            },
            {
                sid: "Allow Databricks to use KMS key for DBFS (Grants)",
                effect: "Allow",
                principals: [{
                    type: "AWS",
                    identifiers: ["arn:aws:iam::414351767826:root"],
                }],
                actions: [
                    "kms:CreateGrant",
                    "kms:ListGrants",
                    "kms:RevokeGrant",
                ],
                resources: ["*"],
                conditions: [{
                    test: "Bool",
                    variable: "kms:GrantIsForAWSResource",
                    values: ["true"],
                }],
            },
            {
                sid: "Allow Databricks to use KMS key for EBS",
                effect: "Allow",
                principals: [{
                    type: "AWS",
                    identifiers: [databricksCrossAccountRole],
                }],
                actions: [
                    "kms:Decrypt",
                    "kms:GenerateDataKey*",
                    "kms:CreateGrant",
                    "kms:DescribeKey",
                ],
                resources: ["*"],
                conditions: [{
                    test: "ForAnyValue:StringLike",
                    variable: "kms:ViaService",
                    values: ["ec2.*.amazonaws.com"],
                }],
            },
        ],
    }));
    const storageCustomerManagedKey = new aws.kms.Key("storage_customer_managed_key", {policy: databricksStorageCmk.then(databricksStorageCmk => databricksStorageCmk.json)});
    const storageCustomerManagedKeyAlias = new aws.kms.Alias("storage_customer_managed_key_alias", {
        name: "alias/storage-customer-managed-key-alias",
        targetKeyId: storageCustomerManagedKey.keyId,
    });
    const storage = new databricks.MwsCustomerManagedKeys("storage", {
        accountId: databricksAccountId,
        awsKeyInfo: {
            keyArn: storageCustomerManagedKey.arn,
            keyAlias: storageCustomerManagedKeyAlias.name,
        },
        useCases: ["STORAGE"],
    });
    
    import pulumi
    import pulumi_aws as aws
    import pulumi_databricks as databricks
    
    config = pulumi.Config()
    # Account Id that could be found in the top right corner of https://accounts.cloud.databricks.com/
    databricks_account_id = config.require_object("databricksAccountId")
    # AWS ARN for the Databricks cross account role
    databricks_cross_account_role = config.require_object("databricksCrossAccountRole")
    current = aws.get_caller_identity()
    databricks_storage_cmk = aws.iam.get_policy_document(version="2012-10-17",
        statements=[
            {
                "sid": "Enable IAM User Permissions",
                "effect": "Allow",
                "principals": [{
                    "type": "AWS",
                    "identifiers": [current.account_id],
                }],
                "actions": ["kms:*"],
                "resources": ["*"],
            },
            {
                "sid": "Allow Databricks to use KMS key for DBFS",
                "effect": "Allow",
                "principals": [{
                    "type": "AWS",
                    "identifiers": ["arn:aws:iam::414351767826:root"],
                }],
                "actions": [
                    "kms:Encrypt",
                    "kms:Decrypt",
                    "kms:ReEncrypt*",
                    "kms:GenerateDataKey*",
                    "kms:DescribeKey",
                ],
                "resources": ["*"],
            },
            {
                "sid": "Allow Databricks to use KMS key for DBFS (Grants)",
                "effect": "Allow",
                "principals": [{
                    "type": "AWS",
                    "identifiers": ["arn:aws:iam::414351767826:root"],
                }],
                "actions": [
                    "kms:CreateGrant",
                    "kms:ListGrants",
                    "kms:RevokeGrant",
                ],
                "resources": ["*"],
                "conditions": [{
                    "test": "Bool",
                    "variable": "kms:GrantIsForAWSResource",
                    "values": ["true"],
                }],
            },
            {
                "sid": "Allow Databricks to use KMS key for EBS",
                "effect": "Allow",
                "principals": [{
                    "type": "AWS",
                    "identifiers": [databricks_cross_account_role],
                }],
                "actions": [
                    "kms:Decrypt",
                    "kms:GenerateDataKey*",
                    "kms:CreateGrant",
                    "kms:DescribeKey",
                ],
                "resources": ["*"],
                "conditions": [{
                    "test": "ForAnyValue:StringLike",
                    "variable": "kms:ViaService",
                    "values": ["ec2.*.amazonaws.com"],
                }],
            },
        ])
    storage_customer_managed_key = aws.kms.Key("storage_customer_managed_key", policy=databricks_storage_cmk.json)
    storage_customer_managed_key_alias = aws.kms.Alias("storage_customer_managed_key_alias",
        name="alias/storage-customer-managed-key-alias",
        target_key_id=storage_customer_managed_key.key_id)
    storage = databricks.MwsCustomerManagedKeys("storage",
        account_id=databricks_account_id,
        aws_key_info={
            "key_arn": storage_customer_managed_key.arn,
            "key_alias": storage_customer_managed_key_alias.name,
        },
        use_cases=["STORAGE"])
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
    	"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config"
    )
    func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
    cfg := config.New(ctx, "")
    // Account Id that could be found in the top right corner of https://accounts.cloud.databricks.com/
    databricksAccountId := cfg.RequireObject("databricksAccountId")
    // AWS ARN for the Databricks cross account role
    databricksCrossAccountRole := cfg.RequireObject("databricksCrossAccountRole")
    current, err := aws.GetCallerIdentity(ctx, &aws.GetCallerIdentityArgs{
    }, nil);
    if err != nil {
    return err
    }
    databricksStorageCmk, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Version: pulumi.StringRef("2012-10-17"),
    Statements: []iam.GetPolicyDocumentStatement{
    {
    Sid: pulumi.StringRef("Enable IAM User Permissions"),
    Effect: pulumi.StringRef("Allow"),
    Principals: []iam.GetPolicyDocumentStatementPrincipal{
    {
    Type: "AWS",
    Identifiers: interface{}{
    current.AccountId,
    },
    },
    },
    Actions: []string{
    "kms:*",
    },
    Resources: []string{
    "*",
    },
    },
    {
    Sid: pulumi.StringRef("Allow Databricks to use KMS key for DBFS"),
    Effect: pulumi.StringRef("Allow"),
    Principals: []iam.GetPolicyDocumentStatementPrincipal{
    {
    Type: "AWS",
    Identifiers: []string{
    "arn:aws:iam::414351767826:root",
    },
    },
    },
    Actions: []string{
    "kms:Encrypt",
    "kms:Decrypt",
    "kms:ReEncrypt*",
    "kms:GenerateDataKey*",
    "kms:DescribeKey",
    },
    Resources: []string{
    "*",
    },
    },
    {
    Sid: pulumi.StringRef("Allow Databricks to use KMS key for DBFS (Grants)"),
    Effect: pulumi.StringRef("Allow"),
    Principals: []iam.GetPolicyDocumentStatementPrincipal{
    {
    Type: "AWS",
    Identifiers: []string{
    "arn:aws:iam::414351767826:root",
    },
    },
    },
    Actions: []string{
    "kms:CreateGrant",
    "kms:ListGrants",
    "kms:RevokeGrant",
    },
    Resources: []string{
    "*",
    },
    Conditions: []iam.GetPolicyDocumentStatementCondition{
    {
    Test: "Bool",
    Variable: "kms:GrantIsForAWSResource",
    Values: []string{
    "true",
    },
    },
    },
    },
    {
    Sid: pulumi.StringRef("Allow Databricks to use KMS key for EBS"),
    Effect: pulumi.StringRef("Allow"),
    Principals: []iam.GetPolicyDocumentStatementPrincipal{
    {
    Type: "AWS",
    Identifiers: interface{}{
    databricksCrossAccountRole,
    },
    },
    },
    Actions: []string{
    "kms:Decrypt",
    "kms:GenerateDataKey*",
    "kms:CreateGrant",
    "kms:DescribeKey",
    },
    Resources: []string{
    "*",
    },
    Conditions: []iam.GetPolicyDocumentStatementCondition{
    {
    Test: "ForAnyValue:StringLike",
    Variable: "kms:ViaService",
    Values: []string{
    "ec2.*.amazonaws.com",
    },
    },
    },
    },
    },
    }, nil);
    if err != nil {
    return err
    }
    storageCustomerManagedKey, err := kms.NewKey(ctx, "storage_customer_managed_key", &kms.KeyArgs{
    Policy: pulumi.String(databricksStorageCmk.Json),
    })
    if err != nil {
    return err
    }
    storageCustomerManagedKeyAlias, err := kms.NewAlias(ctx, "storage_customer_managed_key_alias", &kms.AliasArgs{
    Name: pulumi.String("alias/storage-customer-managed-key-alias"),
    TargetKeyId: storageCustomerManagedKey.KeyId,
    })
    if err != nil {
    return err
    }
    _, err = databricks.NewMwsCustomerManagedKeys(ctx, "storage", &databricks.MwsCustomerManagedKeysArgs{
    AccountId: pulumi.Any(databricksAccountId),
    AwsKeyInfo: &databricks.MwsCustomerManagedKeysAwsKeyInfoArgs{
    KeyArn: storageCustomerManagedKey.Arn,
    KeyAlias: storageCustomerManagedKeyAlias.Name,
    },
    UseCases: pulumi.StringArray{
    pulumi.String("STORAGE"),
    },
    })
    if err != nil {
    return err
    }
    return nil
    })
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    using Databricks = Pulumi.Databricks;
    
    return await Deployment.RunAsync(() => 
    {
        var config = new Config();
        // Account Id that could be found in the top right corner of https://accounts.cloud.databricks.com/
        var databricksAccountId = config.RequireObject<dynamic>("databricksAccountId");
        // AWS ARN for the Databricks cross account role
        var databricksCrossAccountRole = config.RequireObject<dynamic>("databricksCrossAccountRole");
        var current = Aws.GetCallerIdentity.Invoke();
    
        var databricksStorageCmk = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Version = "2012-10-17",
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "Enable IAM User Permissions",
                    Effect = "Allow",
                    Principals = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                        {
                            Type = "AWS",
                            Identifiers = new[]
                            {
                                current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId),
                            },
                        },
                    },
                    Actions = new[]
                    {
                        "kms:*",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "Allow Databricks to use KMS key for DBFS",
                    Effect = "Allow",
                    Principals = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                        {
                            Type = "AWS",
                            Identifiers = new[]
                            {
                                "arn:aws:iam::414351767826:root",
                            },
                        },
                    },
                    Actions = new[]
                    {
                        "kms:Encrypt",
                        "kms:Decrypt",
                        "kms:ReEncrypt*",
                        "kms:GenerateDataKey*",
                        "kms:DescribeKey",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "Allow Databricks to use KMS key for DBFS (Grants)",
                    Effect = "Allow",
                    Principals = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                        {
                            Type = "AWS",
                            Identifiers = new[]
                            {
                                "arn:aws:iam::414351767826:root",
                            },
                        },
                    },
                    Actions = new[]
                    {
                        "kms:CreateGrant",
                        "kms:ListGrants",
                        "kms:RevokeGrant",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                    Conditions = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
                        {
                            Test = "Bool",
                            Variable = "kms:GrantIsForAWSResource",
                            Values = new[]
                            {
                                "true",
                            },
                        },
                    },
                },
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "Allow Databricks to use KMS key for EBS",
                    Effect = "Allow",
                    Principals = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                        {
                            Type = "AWS",
                            Identifiers = new[]
                            {
                                databricksCrossAccountRole,
                            },
                        },
                    },
                    Actions = new[]
                    {
                        "kms:Decrypt",
                        "kms:GenerateDataKey*",
                        "kms:CreateGrant",
                        "kms:DescribeKey",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                    Conditions = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
                        {
                            Test = "ForAnyValue:StringLike",
                            Variable = "kms:ViaService",
                            Values = new[]
                            {
                                "ec2.*.amazonaws.com",
                            },
                        },
                    },
                },
            },
        });
    
        var storageCustomerManagedKey = new Aws.Kms.Key("storage_customer_managed_key", new()
        {
            Policy = databricksStorageCmk.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
        });
    
        var storageCustomerManagedKeyAlias = new Aws.Kms.Alias("storage_customer_managed_key_alias", new()
        {
            Name = "alias/storage-customer-managed-key-alias",
            TargetKeyId = storageCustomerManagedKey.KeyId,
        });
    
        var storage = new Databricks.MwsCustomerManagedKeys("storage", new()
        {
            AccountId = databricksAccountId,
            AwsKeyInfo = new Databricks.Inputs.MwsCustomerManagedKeysAwsKeyInfoArgs
            {
                KeyArn = storageCustomerManagedKey.Arn,
                KeyAlias = storageCustomerManagedKeyAlias.Name,
            },
            UseCases = new[]
            {
                "STORAGE",
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.AwsFunctions;
    import com.pulumi.aws.inputs.GetCallerIdentityArgs;
    import com.pulumi.aws.iam.IamFunctions;
    import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
    import com.pulumi.aws.kms.Key;
    import com.pulumi.aws.kms.KeyArgs;
    import com.pulumi.aws.kms.Alias;
    import com.pulumi.aws.kms.AliasArgs;
    import com.pulumi.databricks.MwsCustomerManagedKeys;
    import com.pulumi.databricks.MwsCustomerManagedKeysArgs;
    import com.pulumi.databricks.inputs.MwsCustomerManagedKeysAwsKeyInfoArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var config = ctx.config();
            final var databricksAccountId = config.get("databricksAccountId");
            final var databricksCrossAccountRole = config.get("databricksCrossAccountRole");
            final var current = AwsFunctions.getCallerIdentity();
    
            final var databricksStorageCmk = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .version("2012-10-17")
                .statements(            
                    GetPolicyDocumentStatementArgs.builder()
                        .sid("Enable IAM User Permissions")
                        .effect("Allow")
                        .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                            .type("AWS")
                            .identifiers(current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId()))
                            .build())
                        .actions("kms:*")
                        .resources("*")
                        .build(),
                    GetPolicyDocumentStatementArgs.builder()
                        .sid("Allow Databricks to use KMS key for DBFS")
                        .effect("Allow")
                        .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                            .type("AWS")
                            .identifiers("arn:aws:iam::414351767826:root")
                            .build())
                        .actions(                    
                            "kms:Encrypt",
                            "kms:Decrypt",
                            "kms:ReEncrypt*",
                            "kms:GenerateDataKey*",
                            "kms:DescribeKey")
                        .resources("*")
                        .build(),
                    GetPolicyDocumentStatementArgs.builder()
                        .sid("Allow Databricks to use KMS key for DBFS (Grants)")
                        .effect("Allow")
                        .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                            .type("AWS")
                            .identifiers("arn:aws:iam::414351767826:root")
                            .build())
                        .actions(                    
                            "kms:CreateGrant",
                            "kms:ListGrants",
                            "kms:RevokeGrant")
                        .resources("*")
                        .conditions(GetPolicyDocumentStatementConditionArgs.builder()
                            .test("Bool")
                            .variable("kms:GrantIsForAWSResource")
                            .values("true")
                            .build())
                        .build(),
                    GetPolicyDocumentStatementArgs.builder()
                        .sid("Allow Databricks to use KMS key for EBS")
                        .effect("Allow")
                        .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                            .type("AWS")
                            .identifiers(databricksCrossAccountRole)
                            .build())
                        .actions(                    
                            "kms:Decrypt",
                            "kms:GenerateDataKey*",
                            "kms:CreateGrant",
                            "kms:DescribeKey")
                        .resources("*")
                        .conditions(GetPolicyDocumentStatementConditionArgs.builder()
                            .test("ForAnyValue:StringLike")
                            .variable("kms:ViaService")
                            .values("ec2.*.amazonaws.com")
                            .build())
                        .build())
                .build());
    
            var storageCustomerManagedKey = new Key("storageCustomerManagedKey", KeyArgs.builder()
                .policy(databricksStorageCmk.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
                .build());
    
            var storageCustomerManagedKeyAlias = new Alias("storageCustomerManagedKeyAlias", AliasArgs.builder()
                .name("alias/storage-customer-managed-key-alias")
                .targetKeyId(storageCustomerManagedKey.keyId())
                .build());
    
            var storage = new MwsCustomerManagedKeys("storage", MwsCustomerManagedKeysArgs.builder()
                .accountId(databricksAccountId)
                .awsKeyInfo(MwsCustomerManagedKeysAwsKeyInfoArgs.builder()
                    .keyArn(storageCustomerManagedKey.arn())
                    .keyAlias(storageCustomerManagedKeyAlias.name())
                    .build())
                .useCases("STORAGE")
                .build());
    
        }
    }
    
    configuration:
      databricksAccountId:
        type: dynamic
      databricksCrossAccountRole:
        type: dynamic
    resources:
      storageCustomerManagedKey:
        type: aws:kms:Key
        name: storage_customer_managed_key
        properties:
          policy: ${databricksStorageCmk.json}
      storageCustomerManagedKeyAlias:
        type: aws:kms:Alias
        name: storage_customer_managed_key_alias
        properties:
          name: alias/storage-customer-managed-key-alias
          targetKeyId: ${storageCustomerManagedKey.keyId}
      storage:
        type: databricks:MwsCustomerManagedKeys
        properties:
          accountId: ${databricksAccountId}
          awsKeyInfo:
            keyArn: ${storageCustomerManagedKey.arn}
            keyAlias: ${storageCustomerManagedKeyAlias.name}
          useCases:
            - STORAGE
    variables:
      current:
        fn::invoke:
          Function: aws:getCallerIdentity
          Arguments: {}
      databricksStorageCmk:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            version: 2012-10-17
            statements:
              - sid: Enable IAM User Permissions
                effect: Allow
                principals:
                  - type: AWS
                    identifiers:
                      - ${current.accountId}
                actions:
                  - kms:*
                resources:
                  - '*'
              - sid: Allow Databricks to use KMS key for DBFS
                effect: Allow
                principals:
                  - type: AWS
                    identifiers:
                      - arn:aws:iam::414351767826:root
                actions:
                  - kms:Encrypt
                  - kms:Decrypt
                  - kms:ReEncrypt*
                  - kms:GenerateDataKey*
                  - kms:DescribeKey
                resources:
                  - '*'
              - sid: Allow Databricks to use KMS key for DBFS (Grants)
                effect: Allow
                principals:
                  - type: AWS
                    identifiers:
                      - arn:aws:iam::414351767826:root
                actions:
                  - kms:CreateGrant
                  - kms:ListGrants
                  - kms:RevokeGrant
                resources:
                  - '*'
                conditions:
                  - test: Bool
                    variable: kms:GrantIsForAWSResource
                    values:
                      - 'true'
              - sid: Allow Databricks to use KMS key for EBS
                effect: Allow
                principals:
                  - type: AWS
                    identifiers:
                      - ${databricksCrossAccountRole}
                actions:
                  - kms:Decrypt
                  - kms:GenerateDataKey*
                  - kms:CreateGrant
                  - kms:DescribeKey
                resources:
                  - '*'
                conditions:
                  - test: ForAnyValue:StringLike
                    variable: kms:ViaService
                    values:
                      - ec2.*.amazonaws.com
    

    For GCP

    import * as pulumi from "@pulumi/pulumi";
    import * as databricks from "@pulumi/databricks";
    
    const config = new pulumi.Config();
    // Account Id that could be found in the top right corner of https://accounts.gcp.databricks.com/
    const databricksAccountId = config.requireObject("databricksAccountId");
    // Id of a google_kms_crypto_key
    const cmekResourceId = config.requireObject("cmekResourceId");
    const storage = new databricks.MwsCustomerManagedKeys("storage", {
        accountId: databricksAccountId,
        gcpKeyInfo: {
            kmsKeyId: cmekResourceId,
        },
        useCases: ["STORAGE"],
    });
    
    import pulumi
    import pulumi_databricks as databricks
    
    config = pulumi.Config()
    # Account Id that could be found in the top right corner of https://accounts.gcp.databricks.com/
    databricks_account_id = config.require_object("databricksAccountId")
    # Id of a google_kms_crypto_key
    cmek_resource_id = config.require_object("cmekResourceId")
    storage = databricks.MwsCustomerManagedKeys("storage",
        account_id=databricks_account_id,
        gcp_key_info={
            "kms_key_id": cmek_resource_id,
        },
        use_cases=["STORAGE"])
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		cfg := config.New(ctx, "")
    		// Account Id that could be found in the top right corner of https://accounts.gcp.databricks.com/
    		databricksAccountId := cfg.RequireObject("databricksAccountId")
    		// Id of a google_kms_crypto_key
    		cmekResourceId := cfg.RequireObject("cmekResourceId")
    		_, err := databricks.NewMwsCustomerManagedKeys(ctx, "storage", &databricks.MwsCustomerManagedKeysArgs{
    			AccountId: pulumi.Any(databricksAccountId),
    			GcpKeyInfo: &databricks.MwsCustomerManagedKeysGcpKeyInfoArgs{
    				KmsKeyId: pulumi.Any(cmekResourceId),
    			},
    			UseCases: pulumi.StringArray{
    				pulumi.String("STORAGE"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Databricks = Pulumi.Databricks;
    
    return await Deployment.RunAsync(() => 
    {
        var config = new Config();
        // Account Id that could be found in the top right corner of https://accounts.gcp.databricks.com/
        var databricksAccountId = config.RequireObject<dynamic>("databricksAccountId");
        // Id of a google_kms_crypto_key
        var cmekResourceId = config.RequireObject<dynamic>("cmekResourceId");
        var storage = new Databricks.MwsCustomerManagedKeys("storage", new()
        {
            AccountId = databricksAccountId,
            GcpKeyInfo = new Databricks.Inputs.MwsCustomerManagedKeysGcpKeyInfoArgs
            {
                KmsKeyId = cmekResourceId,
            },
            UseCases = new[]
            {
                "STORAGE",
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.databricks.MwsCustomerManagedKeys;
    import com.pulumi.databricks.MwsCustomerManagedKeysArgs;
    import com.pulumi.databricks.inputs.MwsCustomerManagedKeysGcpKeyInfoArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var config = ctx.config();
            final var databricksAccountId = config.get("databricksAccountId");
            final var cmekResourceId = config.get("cmekResourceId");
            var storage = new MwsCustomerManagedKeys("storage", MwsCustomerManagedKeysArgs.builder()
                .accountId(databricksAccountId)
                .gcpKeyInfo(MwsCustomerManagedKeysGcpKeyInfoArgs.builder()
                    .kmsKeyId(cmekResourceId)
                    .build())
                .useCases("STORAGE")
                .build());
    
        }
    }
    
    configuration:
      databricksAccountId:
        type: dynamic
      cmekResourceId:
        type: dynamic
    resources:
      storage:
        type: databricks:MwsCustomerManagedKeys
        properties:
          accountId: ${databricksAccountId}
          gcpKeyInfo:
            kmsKeyId: ${cmekResourceId}
          useCases:
            - STORAGE
    

    The following resources are used in the same context:

    • Provisioning Databricks on AWS guide.
    • databricks.MwsCredentials to configure the cross-account role for creation of new workspaces within AWS.
    • databricks.MwsLogDelivery to configure delivery of billable usage logs and audit logs.
    • databricks.MwsNetworks to configure VPC & subnets for new workspaces within AWS.
    • databricks.MwsStorageConfigurations to configure root bucket new workspaces within AWS.
    • databricks.MwsWorkspaces to set up AWS and GCP workspaces.

    Create MwsCustomerManagedKeys Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new MwsCustomerManagedKeys(name: string, args: MwsCustomerManagedKeysArgs, opts?: CustomResourceOptions);
    @overload
    def MwsCustomerManagedKeys(resource_name: str,
                               args: MwsCustomerManagedKeysArgs,
                               opts: Optional[ResourceOptions] = None)
    
    @overload
    def MwsCustomerManagedKeys(resource_name: str,
                               opts: Optional[ResourceOptions] = None,
                               account_id: Optional[str] = None,
                               use_cases: Optional[Sequence[str]] = None,
                               aws_key_info: Optional[MwsCustomerManagedKeysAwsKeyInfoArgs] = None,
                               creation_time: Optional[int] = None,
                               customer_managed_key_id: Optional[str] = None,
                               gcp_key_info: Optional[MwsCustomerManagedKeysGcpKeyInfoArgs] = None)
    func NewMwsCustomerManagedKeys(ctx *Context, name string, args MwsCustomerManagedKeysArgs, opts ...ResourceOption) (*MwsCustomerManagedKeys, error)
    public MwsCustomerManagedKeys(string name, MwsCustomerManagedKeysArgs args, CustomResourceOptions? opts = null)
    public MwsCustomerManagedKeys(String name, MwsCustomerManagedKeysArgs args)
    public MwsCustomerManagedKeys(String name, MwsCustomerManagedKeysArgs args, CustomResourceOptions options)
    
    type: databricks:MwsCustomerManagedKeys
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args MwsCustomerManagedKeysArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args MwsCustomerManagedKeysArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args MwsCustomerManagedKeysArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args MwsCustomerManagedKeysArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args MwsCustomerManagedKeysArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var mwsCustomerManagedKeysResource = new Databricks.MwsCustomerManagedKeys("mwsCustomerManagedKeysResource", new()
    {
        AccountId = "string",
        UseCases = new[]
        {
            "string",
        },
        AwsKeyInfo = new Databricks.Inputs.MwsCustomerManagedKeysAwsKeyInfoArgs
        {
            KeyArn = "string",
            KeyAlias = "string",
            KeyRegion = "string",
        },
        CreationTime = 0,
        CustomerManagedKeyId = "string",
        GcpKeyInfo = new Databricks.Inputs.MwsCustomerManagedKeysGcpKeyInfoArgs
        {
            KmsKeyId = "string",
        },
    });
    
    example, err := databricks.NewMwsCustomerManagedKeys(ctx, "mwsCustomerManagedKeysResource", &databricks.MwsCustomerManagedKeysArgs{
    	AccountId: pulumi.String("string"),
    	UseCases: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	AwsKeyInfo: &databricks.MwsCustomerManagedKeysAwsKeyInfoArgs{
    		KeyArn:    pulumi.String("string"),
    		KeyAlias:  pulumi.String("string"),
    		KeyRegion: pulumi.String("string"),
    	},
    	CreationTime:         pulumi.Int(0),
    	CustomerManagedKeyId: pulumi.String("string"),
    	GcpKeyInfo: &databricks.MwsCustomerManagedKeysGcpKeyInfoArgs{
    		KmsKeyId: pulumi.String("string"),
    	},
    })
    
    var mwsCustomerManagedKeysResource = new MwsCustomerManagedKeys("mwsCustomerManagedKeysResource", MwsCustomerManagedKeysArgs.builder()
        .accountId("string")
        .useCases("string")
        .awsKeyInfo(MwsCustomerManagedKeysAwsKeyInfoArgs.builder()
            .keyArn("string")
            .keyAlias("string")
            .keyRegion("string")
            .build())
        .creationTime(0)
        .customerManagedKeyId("string")
        .gcpKeyInfo(MwsCustomerManagedKeysGcpKeyInfoArgs.builder()
            .kmsKeyId("string")
            .build())
        .build());
    
    mws_customer_managed_keys_resource = databricks.MwsCustomerManagedKeys("mwsCustomerManagedKeysResource",
        account_id="string",
        use_cases=["string"],
        aws_key_info={
            "key_arn": "string",
            "key_alias": "string",
            "key_region": "string",
        },
        creation_time=0,
        customer_managed_key_id="string",
        gcp_key_info={
            "kms_key_id": "string",
        })
    
    const mwsCustomerManagedKeysResource = new databricks.MwsCustomerManagedKeys("mwsCustomerManagedKeysResource", {
        accountId: "string",
        useCases: ["string"],
        awsKeyInfo: {
            keyArn: "string",
            keyAlias: "string",
            keyRegion: "string",
        },
        creationTime: 0,
        customerManagedKeyId: "string",
        gcpKeyInfo: {
            kmsKeyId: "string",
        },
    });
    
    type: databricks:MwsCustomerManagedKeys
    properties:
        accountId: string
        awsKeyInfo:
            keyAlias: string
            keyArn: string
            keyRegion: string
        creationTime: 0
        customerManagedKeyId: string
        gcpKeyInfo:
            kmsKeyId: string
        useCases:
            - string
    

    MwsCustomerManagedKeys Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The MwsCustomerManagedKeys resource accepts the following input properties:

    AccountId string
    Account Id that could be found in the top right corner of Accounts Console
    UseCases List<string>
    (since v0.3.4) List of use cases for which this key will be used. If you've used the resource before, please add use_cases = ["MANAGED_SERVICES"] to keep the previous behaviour. Possible values are:

    • MANAGED_SERVICES - for encryption of the workspace objects (notebooks, secrets) that are stored in the control plane
    • STORAGE - for encryption of the DBFS Storage & Cluster EBS Volumes
    AwsKeyInfo MwsCustomerManagedKeysAwsKeyInfo
    This field is a block and is documented below. This conflicts with gcp_key_info
    CreationTime int
    (Integer) Time in epoch milliseconds when the customer key was created.
    CustomerManagedKeyId string
    (String) ID of the encryption key configuration object.
    GcpKeyInfo MwsCustomerManagedKeysGcpKeyInfo
    This field is a block and is documented below. This conflicts with aws_key_info
    AccountId string
    Account Id that could be found in the top right corner of Accounts Console
    UseCases []string
    (since v0.3.4) List of use cases for which this key will be used. If you've used the resource before, please add use_cases = ["MANAGED_SERVICES"] to keep the previous behaviour. Possible values are:

    • MANAGED_SERVICES - for encryption of the workspace objects (notebooks, secrets) that are stored in the control plane
    • STORAGE - for encryption of the DBFS Storage & Cluster EBS Volumes
    AwsKeyInfo MwsCustomerManagedKeysAwsKeyInfoArgs
    This field is a block and is documented below. This conflicts with gcp_key_info
    CreationTime int
    (Integer) Time in epoch milliseconds when the customer key was created.
    CustomerManagedKeyId string
    (String) ID of the encryption key configuration object.
    GcpKeyInfo MwsCustomerManagedKeysGcpKeyInfoArgs
    This field is a block and is documented below. This conflicts with aws_key_info
    accountId String
    Account Id that could be found in the top right corner of Accounts Console
    useCases List<String>
    (since v0.3.4) List of use cases for which this key will be used. If you've used the resource before, please add use_cases = ["MANAGED_SERVICES"] to keep the previous behaviour. Possible values are:

    • MANAGED_SERVICES - for encryption of the workspace objects (notebooks, secrets) that are stored in the control plane
    • STORAGE - for encryption of the DBFS Storage & Cluster EBS Volumes
    awsKeyInfo MwsCustomerManagedKeysAwsKeyInfo
    This field is a block and is documented below. This conflicts with gcp_key_info
    creationTime Integer
    (Integer) Time in epoch milliseconds when the customer key was created.
    customerManagedKeyId String
    (String) ID of the encryption key configuration object.
    gcpKeyInfo MwsCustomerManagedKeysGcpKeyInfo
    This field is a block and is documented below. This conflicts with aws_key_info
    accountId string
    Account Id that could be found in the top right corner of Accounts Console
    useCases string[]
    (since v0.3.4) List of use cases for which this key will be used. If you've used the resource before, please add use_cases = ["MANAGED_SERVICES"] to keep the previous behaviour. Possible values are:

    • MANAGED_SERVICES - for encryption of the workspace objects (notebooks, secrets) that are stored in the control plane
    • STORAGE - for encryption of the DBFS Storage & Cluster EBS Volumes
    awsKeyInfo MwsCustomerManagedKeysAwsKeyInfo
    This field is a block and is documented below. This conflicts with gcp_key_info
    creationTime number
    (Integer) Time in epoch milliseconds when the customer key was created.
    customerManagedKeyId string
    (String) ID of the encryption key configuration object.
    gcpKeyInfo MwsCustomerManagedKeysGcpKeyInfo
    This field is a block and is documented below. This conflicts with aws_key_info
    account_id str
    Account Id that could be found in the top right corner of Accounts Console
    use_cases Sequence[str]
    (since v0.3.4) List of use cases for which this key will be used. If you've used the resource before, please add use_cases = ["MANAGED_SERVICES"] to keep the previous behaviour. Possible values are:

    • MANAGED_SERVICES - for encryption of the workspace objects (notebooks, secrets) that are stored in the control plane
    • STORAGE - for encryption of the DBFS Storage & Cluster EBS Volumes
    aws_key_info MwsCustomerManagedKeysAwsKeyInfoArgs
    This field is a block and is documented below. This conflicts with gcp_key_info
    creation_time int
    (Integer) Time in epoch milliseconds when the customer key was created.
    customer_managed_key_id str
    (String) ID of the encryption key configuration object.
    gcp_key_info MwsCustomerManagedKeysGcpKeyInfoArgs
    This field is a block and is documented below. This conflicts with aws_key_info
    accountId String
    Account Id that could be found in the top right corner of Accounts Console
    useCases List<String>
    (since v0.3.4) List of use cases for which this key will be used. If you've used the resource before, please add use_cases = ["MANAGED_SERVICES"] to keep the previous behaviour. Possible values are:

    • MANAGED_SERVICES - for encryption of the workspace objects (notebooks, secrets) that are stored in the control plane
    • STORAGE - for encryption of the DBFS Storage & Cluster EBS Volumes
    awsKeyInfo Property Map
    This field is a block and is documented below. This conflicts with gcp_key_info
    creationTime Number
    (Integer) Time in epoch milliseconds when the customer key was created.
    customerManagedKeyId String
    (String) ID of the encryption key configuration object.
    gcpKeyInfo Property Map
    This field is a block and is documented below. This conflicts with aws_key_info

    Outputs

    All input properties are implicitly available as output properties. Additionally, the MwsCustomerManagedKeys resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing MwsCustomerManagedKeys Resource

    Get an existing MwsCustomerManagedKeys resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: MwsCustomerManagedKeysState, opts?: CustomResourceOptions): MwsCustomerManagedKeys
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            account_id: Optional[str] = None,
            aws_key_info: Optional[MwsCustomerManagedKeysAwsKeyInfoArgs] = None,
            creation_time: Optional[int] = None,
            customer_managed_key_id: Optional[str] = None,
            gcp_key_info: Optional[MwsCustomerManagedKeysGcpKeyInfoArgs] = None,
            use_cases: Optional[Sequence[str]] = None) -> MwsCustomerManagedKeys
    func GetMwsCustomerManagedKeys(ctx *Context, name string, id IDInput, state *MwsCustomerManagedKeysState, opts ...ResourceOption) (*MwsCustomerManagedKeys, error)
    public static MwsCustomerManagedKeys Get(string name, Input<string> id, MwsCustomerManagedKeysState? state, CustomResourceOptions? opts = null)
    public static MwsCustomerManagedKeys get(String name, Output<String> id, MwsCustomerManagedKeysState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AccountId string
    Account Id that could be found in the top right corner of Accounts Console
    AwsKeyInfo MwsCustomerManagedKeysAwsKeyInfo
    This field is a block and is documented below. This conflicts with gcp_key_info
    CreationTime int
    (Integer) Time in epoch milliseconds when the customer key was created.
    CustomerManagedKeyId string
    (String) ID of the encryption key configuration object.
    GcpKeyInfo MwsCustomerManagedKeysGcpKeyInfo
    This field is a block and is documented below. This conflicts with aws_key_info
    UseCases List<string>
    (since v0.3.4) List of use cases for which this key will be used. If you've used the resource before, please add use_cases = ["MANAGED_SERVICES"] to keep the previous behaviour. Possible values are:

    • MANAGED_SERVICES - for encryption of the workspace objects (notebooks, secrets) that are stored in the control plane
    • STORAGE - for encryption of the DBFS Storage & Cluster EBS Volumes
    AccountId string
    Account Id that could be found in the top right corner of Accounts Console
    AwsKeyInfo MwsCustomerManagedKeysAwsKeyInfoArgs
    This field is a block and is documented below. This conflicts with gcp_key_info
    CreationTime int
    (Integer) Time in epoch milliseconds when the customer key was created.
    CustomerManagedKeyId string
    (String) ID of the encryption key configuration object.
    GcpKeyInfo MwsCustomerManagedKeysGcpKeyInfoArgs
    This field is a block and is documented below. This conflicts with aws_key_info
    UseCases []string
    (since v0.3.4) List of use cases for which this key will be used. If you've used the resource before, please add use_cases = ["MANAGED_SERVICES"] to keep the previous behaviour. Possible values are:

    • MANAGED_SERVICES - for encryption of the workspace objects (notebooks, secrets) that are stored in the control plane
    • STORAGE - for encryption of the DBFS Storage & Cluster EBS Volumes
    accountId String
    Account Id that could be found in the top right corner of Accounts Console
    awsKeyInfo MwsCustomerManagedKeysAwsKeyInfo
    This field is a block and is documented below. This conflicts with gcp_key_info
    creationTime Integer
    (Integer) Time in epoch milliseconds when the customer key was created.
    customerManagedKeyId String
    (String) ID of the encryption key configuration object.
    gcpKeyInfo MwsCustomerManagedKeysGcpKeyInfo
    This field is a block and is documented below. This conflicts with aws_key_info
    useCases List<String>
    (since v0.3.4) List of use cases for which this key will be used. If you've used the resource before, please add use_cases = ["MANAGED_SERVICES"] to keep the previous behaviour. Possible values are:

    • MANAGED_SERVICES - for encryption of the workspace objects (notebooks, secrets) that are stored in the control plane
    • STORAGE - for encryption of the DBFS Storage & Cluster EBS Volumes
    accountId string
    Account Id that could be found in the top right corner of Accounts Console
    awsKeyInfo MwsCustomerManagedKeysAwsKeyInfo
    This field is a block and is documented below. This conflicts with gcp_key_info
    creationTime number
    (Integer) Time in epoch milliseconds when the customer key was created.
    customerManagedKeyId string
    (String) ID of the encryption key configuration object.
    gcpKeyInfo MwsCustomerManagedKeysGcpKeyInfo
    This field is a block and is documented below. This conflicts with aws_key_info
    useCases string[]
    (since v0.3.4) List of use cases for which this key will be used. If you've used the resource before, please add use_cases = ["MANAGED_SERVICES"] to keep the previous behaviour. Possible values are:

    • MANAGED_SERVICES - for encryption of the workspace objects (notebooks, secrets) that are stored in the control plane
    • STORAGE - for encryption of the DBFS Storage & Cluster EBS Volumes
    account_id str
    Account Id that could be found in the top right corner of Accounts Console
    aws_key_info MwsCustomerManagedKeysAwsKeyInfoArgs
    This field is a block and is documented below. This conflicts with gcp_key_info
    creation_time int
    (Integer) Time in epoch milliseconds when the customer key was created.
    customer_managed_key_id str
    (String) ID of the encryption key configuration object.
    gcp_key_info MwsCustomerManagedKeysGcpKeyInfoArgs
    This field is a block and is documented below. This conflicts with aws_key_info
    use_cases Sequence[str]
    (since v0.3.4) List of use cases for which this key will be used. If you've used the resource before, please add use_cases = ["MANAGED_SERVICES"] to keep the previous behaviour. Possible values are:

    • MANAGED_SERVICES - for encryption of the workspace objects (notebooks, secrets) that are stored in the control plane
    • STORAGE - for encryption of the DBFS Storage & Cluster EBS Volumes
    accountId String
    Account Id that could be found in the top right corner of Accounts Console
    awsKeyInfo Property Map
    This field is a block and is documented below. This conflicts with gcp_key_info
    creationTime Number
    (Integer) Time in epoch milliseconds when the customer key was created.
    customerManagedKeyId String
    (String) ID of the encryption key configuration object.
    gcpKeyInfo Property Map
    This field is a block and is documented below. This conflicts with aws_key_info
    useCases List<String>
    (since v0.3.4) List of use cases for which this key will be used. If you've used the resource before, please add use_cases = ["MANAGED_SERVICES"] to keep the previous behaviour. Possible values are:

    • MANAGED_SERVICES - for encryption of the workspace objects (notebooks, secrets) that are stored in the control plane
    • STORAGE - for encryption of the DBFS Storage & Cluster EBS Volumes

    Supporting Types

    MwsCustomerManagedKeysAwsKeyInfo, MwsCustomerManagedKeysAwsKeyInfoArgs

    KeyArn string
    The AWS KMS key's Amazon Resource Name (ARN).
    KeyAlias string
    The AWS KMS key alias.
    KeyRegion string
    (Computed) The AWS region in which KMS key is deployed to. This is not required.
    KeyArn string
    The AWS KMS key's Amazon Resource Name (ARN).
    KeyAlias string
    The AWS KMS key alias.
    KeyRegion string
    (Computed) The AWS region in which KMS key is deployed to. This is not required.
    keyArn String
    The AWS KMS key's Amazon Resource Name (ARN).
    keyAlias String
    The AWS KMS key alias.
    keyRegion String
    (Computed) The AWS region in which KMS key is deployed to. This is not required.
    keyArn string
    The AWS KMS key's Amazon Resource Name (ARN).
    keyAlias string
    The AWS KMS key alias.
    keyRegion string
    (Computed) The AWS region in which KMS key is deployed to. This is not required.
    key_arn str
    The AWS KMS key's Amazon Resource Name (ARN).
    key_alias str
    The AWS KMS key alias.
    key_region str
    (Computed) The AWS region in which KMS key is deployed to. This is not required.
    keyArn String
    The AWS KMS key's Amazon Resource Name (ARN).
    keyAlias String
    The AWS KMS key alias.
    keyRegion String
    (Computed) The AWS region in which KMS key is deployed to. This is not required.

    MwsCustomerManagedKeysGcpKeyInfo, MwsCustomerManagedKeysGcpKeyInfoArgs

    KmsKeyId string
    The GCP KMS key's resource name.
    KmsKeyId string
    The GCP KMS key's resource name.
    kmsKeyId String
    The GCP KMS key's resource name.
    kmsKeyId string
    The GCP KMS key's resource name.
    kms_key_id str
    The GCP KMS key's resource name.
    kmsKeyId String
    The GCP KMS key's resource name.

    Import

    !> Importing this resource is not currently supported.

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    databricks pulumi/pulumi-databricks
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the databricks Terraform Provider.
    databricks logo
    Databricks v1.56.0 published on Tuesday, Nov 12, 2024 by Pulumi