databricks.getAwsCrossAccountPolicy

Databricks v1.90.0, Mar 19 26

Viewing docs for Databricks v1.90.0
published on Thursday, Mar 19, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-databricks

Viewing docs for Databricks v1.90.0
published on Thursday, Mar 19, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-databricks

Example Usage

For more detailed usage please see databricks.getAwsAssumeRolePolicy or databricks_aws_s3_mount pages.

import * as pulumi from "@pulumi/pulumi";
import * as databricks from "@pulumi/databricks";

const _this = databricks.getAwsCrossAccountPolicy({});

import pulumi
import pulumi_databricks as databricks

this = databricks.get_aws_cross_account_policy()

package main

import (
	"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := databricks.GetAwsCrossAccountPolicy(ctx, &databricks.GetAwsCrossAccountPolicyArgs{}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Databricks = Pulumi.Databricks;

return await Deployment.RunAsync(() => 
{
    var @this = Databricks.GetAwsCrossAccountPolicy.Invoke();

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.databricks.DatabricksFunctions;
import com.pulumi.databricks.inputs.GetAwsCrossAccountPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var this = DatabricksFunctions.getAwsCrossAccountPolicy(GetAwsCrossAccountPolicyArgs.builder()
            .build());

    }
}

variables:
  this:
    fn::invoke:
      function: databricks:getAwsCrossAccountPolicy
      arguments: {}

The following resources are used in the same context:

Provisioning AWS Databricks workspaces with a Hub & Spoke firewall for data exfiltration protection guide
databricks.getAwsAssumeRolePolicy data to construct the necessary AWS STS assume role policy.
databricks.getAwsBucketPolicy data to configure a simple access policy for AWS S3 buckets, so that Databricks can access data in it.
databricks.InstanceProfile to manage AWS EC2 instance profiles that users can launch databricks.Cluster and access data, like databricks_mount.

Using getAwsCrossAccountPolicy

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getAwsCrossAccountPolicy(args: GetAwsCrossAccountPolicyArgs, opts?: InvokeOptions): Promise<GetAwsCrossAccountPolicyResult>
function getAwsCrossAccountPolicyOutput(args: GetAwsCrossAccountPolicyOutputArgs, opts?: InvokeOptions): Output<GetAwsCrossAccountPolicyResult>

def get_aws_cross_account_policy(aws_account_id: Optional[str] = None,
                                 aws_partition: Optional[str] = None,
                                 pass_roles: Optional[Sequence[str]] = None,
                                 policy_type: Optional[str] = None,
                                 region: Optional[str] = None,
                                 security_group_id: Optional[str] = None,
                                 vpc_id: Optional[str] = None,
                                 opts: Optional[InvokeOptions] = None) -> GetAwsCrossAccountPolicyResult
def get_aws_cross_account_policy_output(aws_account_id: Optional[pulumi.Input[str]] = None,
                                 aws_partition: Optional[pulumi.Input[str]] = None,
                                 pass_roles: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                                 policy_type: Optional[pulumi.Input[str]] = None,
                                 region: Optional[pulumi.Input[str]] = None,
                                 security_group_id: Optional[pulumi.Input[str]] = None,
                                 vpc_id: Optional[pulumi.Input[str]] = None,
                                 opts: Optional[InvokeOptions] = None) -> Output[GetAwsCrossAccountPolicyResult]

func GetAwsCrossAccountPolicy(ctx *Context, args *GetAwsCrossAccountPolicyArgs, opts ...InvokeOption) (*GetAwsCrossAccountPolicyResult, error)
func GetAwsCrossAccountPolicyOutput(ctx *Context, args *GetAwsCrossAccountPolicyOutputArgs, opts ...InvokeOption) GetAwsCrossAccountPolicyResultOutput

> Note: This function is named GetAwsCrossAccountPolicy in the Go SDK.

public static class GetAwsCrossAccountPolicy 
{
    public static Task<GetAwsCrossAccountPolicyResult> InvokeAsync(GetAwsCrossAccountPolicyArgs args, InvokeOptions? opts = null)
    public static Output<GetAwsCrossAccountPolicyResult> Invoke(GetAwsCrossAccountPolicyInvokeArgs args, InvokeOptions? opts = null)
}

public static CompletableFuture<GetAwsCrossAccountPolicyResult> getAwsCrossAccountPolicy(GetAwsCrossAccountPolicyArgs args, InvokeOptions options)
public static Output<GetAwsCrossAccountPolicyResult> getAwsCrossAccountPolicy(GetAwsCrossAccountPolicyArgs args, InvokeOptions options)

fn::invoke:
  function: databricks:index/getAwsCrossAccountPolicy:getAwsCrossAccountPolicy
  arguments:
    # arguments dictionary

The following arguments are supported:

AwsAccountId string: — Your AWS account ID, which is a number.
AwsPartition string: AWS partition. The options are aws, aws-us-gov, or aws-us-gov-dod. Defaults to aws
PassRoles List<string>: List of Data IAM role ARNs that are explicitly granted iam:PassRole action. The below arguments are only valid for restricted policy type
PolicyType string: The type of cross account policy to generated: managed for Databricks-managed VPC and customer for customer-managed VPC, restricted for customer-managed VPC with policy restrictions
Region string: — AWS Region name for your VPC deployment, for example us-west-2.
SecurityGroupId string: — ID of your AWS security group. When you add a security group restriction, you cannot reuse the cross-account IAM role or reference a credentials ID (credentials_id) for any other workspaces. For those other workspaces, you must create separate roles, policies, and credentials objects.
VpcId string: — ID of the AWS VPC where you want to launch workspaces.

AwsAccountId string: — Your AWS account ID, which is a number.
AwsPartition string: AWS partition. The options are aws, aws-us-gov, or aws-us-gov-dod. Defaults to aws
PassRoles []string: List of Data IAM role ARNs that are explicitly granted iam:PassRole action. The below arguments are only valid for restricted policy type
PolicyType string: The type of cross account policy to generated: managed for Databricks-managed VPC and customer for customer-managed VPC, restricted for customer-managed VPC with policy restrictions
Region string: — AWS Region name for your VPC deployment, for example us-west-2.
SecurityGroupId string: — ID of your AWS security group. When you add a security group restriction, you cannot reuse the cross-account IAM role or reference a credentials ID (credentials_id) for any other workspaces. For those other workspaces, you must create separate roles, policies, and credentials objects.
VpcId string: — ID of the AWS VPC where you want to launch workspaces.

awsAccountId String: — Your AWS account ID, which is a number.
awsPartition String: AWS partition. The options are aws, aws-us-gov, or aws-us-gov-dod. Defaults to aws
passRoles List<String>: List of Data IAM role ARNs that are explicitly granted iam:PassRole action. The below arguments are only valid for restricted policy type
policyType String: The type of cross account policy to generated: managed for Databricks-managed VPC and customer for customer-managed VPC, restricted for customer-managed VPC with policy restrictions
region String: — AWS Region name for your VPC deployment, for example us-west-2.
securityGroupId String: — ID of your AWS security group. When you add a security group restriction, you cannot reuse the cross-account IAM role or reference a credentials ID (credentials_id) for any other workspaces. For those other workspaces, you must create separate roles, policies, and credentials objects.
vpcId String: — ID of the AWS VPC where you want to launch workspaces.

awsAccountId string: — Your AWS account ID, which is a number.
awsPartition string: AWS partition. The options are aws, aws-us-gov, or aws-us-gov-dod. Defaults to aws
passRoles string[]: List of Data IAM role ARNs that are explicitly granted iam:PassRole action. The below arguments are only valid for restricted policy type
policyType string: The type of cross account policy to generated: managed for Databricks-managed VPC and customer for customer-managed VPC, restricted for customer-managed VPC with policy restrictions
region string: — AWS Region name for your VPC deployment, for example us-west-2.
securityGroupId string: — ID of your AWS security group. When you add a security group restriction, you cannot reuse the cross-account IAM role or reference a credentials ID (credentials_id) for any other workspaces. For those other workspaces, you must create separate roles, policies, and credentials objects.
vpcId string: — ID of the AWS VPC where you want to launch workspaces.

aws_account_id str: — Your AWS account ID, which is a number.
aws_partition str: AWS partition. The options are aws, aws-us-gov, or aws-us-gov-dod. Defaults to aws
pass_roles Sequence[str]: List of Data IAM role ARNs that are explicitly granted iam:PassRole action. The below arguments are only valid for restricted policy type
policy_type str: The type of cross account policy to generated: managed for Databricks-managed VPC and customer for customer-managed VPC, restricted for customer-managed VPC with policy restrictions
region str: — AWS Region name for your VPC deployment, for example us-west-2.
security_group_id str: — ID of your AWS security group. When you add a security group restriction, you cannot reuse the cross-account IAM role or reference a credentials ID (credentials_id) for any other workspaces. For those other workspaces, you must create separate roles, policies, and credentials objects.
vpc_id str: — ID of the AWS VPC where you want to launch workspaces.

awsAccountId String: — Your AWS account ID, which is a number.
awsPartition String: AWS partition. The options are aws, aws-us-gov, or aws-us-gov-dod. Defaults to aws
passRoles List<String>: List of Data IAM role ARNs that are explicitly granted iam:PassRole action. The below arguments are only valid for restricted policy type
policyType String: The type of cross account policy to generated: managed for Databricks-managed VPC and customer for customer-managed VPC, restricted for customer-managed VPC with policy restrictions
region String: — AWS Region name for your VPC deployment, for example us-west-2.
securityGroupId String: — ID of your AWS security group. When you add a security group restriction, you cannot reuse the cross-account IAM role or reference a credentials ID (credentials_id) for any other workspaces. For those other workspaces, you must create separate roles, policies, and credentials objects.
vpcId String: — ID of the AWS VPC where you want to launch workspaces.

getAwsCrossAccountPolicy Result

The following output properties are available:

Id string: The provider-assigned unique ID for this managed resource.
Json string: AWS IAM Policy JSON document
AwsAccountId string
AwsPartition string
PassRoles List<string>
PolicyType string
Region string
SecurityGroupId string
VpcId string

Id string: The provider-assigned unique ID for this managed resource.
Json string: AWS IAM Policy JSON document
AwsAccountId string
AwsPartition string
PassRoles []string
PolicyType string
Region string
SecurityGroupId string
VpcId string

id String: The provider-assigned unique ID for this managed resource.
json String: AWS IAM Policy JSON document
awsAccountId String
awsPartition String
passRoles List<String>
policyType String
region String
securityGroupId String
vpcId String

id string: The provider-assigned unique ID for this managed resource.
json string: AWS IAM Policy JSON document
awsAccountId string
awsPartition string
passRoles string[]
policyType string
region string
securityGroupId string
vpcId string

id str: The provider-assigned unique ID for this managed resource.
json str: AWS IAM Policy JSON document
aws_account_id str
aws_partition str
pass_roles Sequence[str]
policy_type str
region str
security_group_id str
vpc_id str

id String: The provider-assigned unique ID for this managed resource.
json String: AWS IAM Policy JSON document
awsAccountId String
awsPartition String
passRoles List<String>
policyType String
region String
securityGroupId String
vpcId String

Package Details

Repository: databricks pulumi/pulumi-databricks
License: Apache-2.0
Notes: This Pulumi package is based on the databricks Terraform Provider.

Viewing docs for Databricks v1.90.0
published on Thursday, Mar 19, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-databricks

databricks.getAwsCrossAccountPolicy

On this page

On this page

Example Usage

Using getAwsCrossAccountPolicy

getAwsCrossAccountPolicy Result

Package Details

On this page

On this page

databricks.getAwsCrossAccountPolicy

On this page

On this page

Example Usage

Related Resources

Using getAwsCrossAccountPolicy

getAwsCrossAccountPolicy Result

Package Details

On this page

On this page