Databricks v1.75.0, Sep 11 25

Databricks v1.75.0 published on Thursday, Sep 11, 2025 by Pulumi

databricks.ServicePrincipalFederationPolicy

Explore with Pulumi AI

Databricks v1.75.0 published on Thursday, Sep 11, 2025 by Pulumi

Service principal federation policies allow automated workloads running outside of Databricks to access Databricks APIs without the need for Databricks secrets. Your application (workload) authenticates to Databricks as a Databricks service principal using tokens issued by the workload runtime, for example Github Actions.

A service principal federation policy is associated with a service principal in your Databricks account, and specifies:

The identity provider (or issuer) from which the service principal can authenticate.
The workload identity (or subject) that is permitted to authenticate as the Databricks service principal.

Example Usage

Example coming soon!

Example coming soon!

Example coming soon!

Example coming soon!

Example coming soon!

resources:
  this:
    type: databricks:ServicePrincipalFederationPolicy
    properties:
      servicePrincipalId: 1234
      policyId: my-policy
      oidcPolicy:
        issuer: https://myidp.example.com
        subject_claim: sub
        subject: subject-in-token-from-myidp

Create ServicePrincipalFederationPolicy Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new ServicePrincipalFederationPolicy(name: string, args?: ServicePrincipalFederationPolicyArgs, opts?: CustomResourceOptions);

@overload
def ServicePrincipalFederationPolicy(resource_name: str,
                                     args: Optional[ServicePrincipalFederationPolicyArgs] = None,
                                     opts: Optional[ResourceOptions] = None)

@overload
def ServicePrincipalFederationPolicy(resource_name: str,
                                     opts: Optional[ResourceOptions] = None,
                                     description: Optional[str] = None,
                                     oidc_policy: Optional[ServicePrincipalFederationPolicyOidcPolicyArgs] = None,
                                     policy_id: Optional[str] = None,
                                     service_principal_id: Optional[int] = None)

func NewServicePrincipalFederationPolicy(ctx *Context, name string, args *ServicePrincipalFederationPolicyArgs, opts ...ResourceOption) (*ServicePrincipalFederationPolicy, error)

public ServicePrincipalFederationPolicy(string name, ServicePrincipalFederationPolicyArgs? args = null, CustomResourceOptions? opts = null)

public ServicePrincipalFederationPolicy(String name, ServicePrincipalFederationPolicyArgs args)
public ServicePrincipalFederationPolicy(String name, ServicePrincipalFederationPolicyArgs args, CustomResourceOptions options)

type: databricks:ServicePrincipalFederationPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args ServicePrincipalFederationPolicyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args ServicePrincipalFederationPolicyArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args ServicePrincipalFederationPolicyArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args ServicePrincipalFederationPolicyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args ServicePrincipalFederationPolicyArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var servicePrincipalFederationPolicyResource = new Databricks.ServicePrincipalFederationPolicy("servicePrincipalFederationPolicyResource", new()
{
    Description = "string",
    OidcPolicy = new Databricks.Inputs.ServicePrincipalFederationPolicyOidcPolicyArgs
    {
        Audiences = new[]
        {
            "string",
        },
        Issuer = "string",
        JwksJson = "string",
        JwksUri = "string",
        Subject = "string",
        SubjectClaim = "string",
    },
    PolicyId = "string",
    ServicePrincipalId = 0,
});

example, err := databricks.NewServicePrincipalFederationPolicy(ctx, "servicePrincipalFederationPolicyResource", &databricks.ServicePrincipalFederationPolicyArgs{
	Description: pulumi.String("string"),
	OidcPolicy: &databricks.ServicePrincipalFederationPolicyOidcPolicyArgs{
		Audiences: pulumi.StringArray{
			pulumi.String("string"),
		},
		Issuer:       pulumi.String("string"),
		JwksJson:     pulumi.String("string"),
		JwksUri:      pulumi.String("string"),
		Subject:      pulumi.String("string"),
		SubjectClaim: pulumi.String("string"),
	},
	PolicyId:           pulumi.String("string"),
	ServicePrincipalId: pulumi.Int(0),
})

var servicePrincipalFederationPolicyResource = new ServicePrincipalFederationPolicy("servicePrincipalFederationPolicyResource", ServicePrincipalFederationPolicyArgs.builder()
    .description("string")
    .oidcPolicy(ServicePrincipalFederationPolicyOidcPolicyArgs.builder()
        .audiences("string")
        .issuer("string")
        .jwksJson("string")
        .jwksUri("string")
        .subject("string")
        .subjectClaim("string")
        .build())
    .policyId("string")
    .servicePrincipalId(0)
    .build());

service_principal_federation_policy_resource = databricks.ServicePrincipalFederationPolicy("servicePrincipalFederationPolicyResource",
    description="string",
    oidc_policy={
        "audiences": ["string"],
        "issuer": "string",
        "jwks_json": "string",
        "jwks_uri": "string",
        "subject": "string",
        "subject_claim": "string",
    },
    policy_id="string",
    service_principal_id=0)

const servicePrincipalFederationPolicyResource = new databricks.ServicePrincipalFederationPolicy("servicePrincipalFederationPolicyResource", {
    description: "string",
    oidcPolicy: {
        audiences: ["string"],
        issuer: "string",
        jwksJson: "string",
        jwksUri: "string",
        subject: "string",
        subjectClaim: "string",
    },
    policyId: "string",
    servicePrincipalId: 0,
});

type: databricks:ServicePrincipalFederationPolicy
properties:
    description: string
    oidcPolicy:
        audiences:
            - string
        issuer: string
        jwksJson: string
        jwksUri: string
        subject: string
        subjectClaim: string
    policyId: string
    servicePrincipalId: 0

ServicePrincipalFederationPolicy Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The ServicePrincipalFederationPolicy resource accepts the following input properties:

Description string: Description of the federation policy
OidcPolicy ServicePrincipalFederationPolicyOidcPolicy
PolicyId string: (string) - The ID of the federation policy
ServicePrincipalId int: (integer) - The service principal ID that this federation policy applies to. Only set for service principal federation policies

Description string: Description of the federation policy
OidcPolicy ServicePrincipalFederationPolicyOidcPolicyArgs
PolicyId string: (string) - The ID of the federation policy
ServicePrincipalId int: (integer) - The service principal ID that this federation policy applies to. Only set for service principal federation policies

description String: Description of the federation policy
oidcPolicy ServicePrincipalFederationPolicyOidcPolicy
policyId String: (string) - The ID of the federation policy
servicePrincipalId Integer: (integer) - The service principal ID that this federation policy applies to. Only set for service principal federation policies

description string: Description of the federation policy
oidcPolicy ServicePrincipalFederationPolicyOidcPolicy
policyId string: (string) - The ID of the federation policy
servicePrincipalId number: (integer) - The service principal ID that this federation policy applies to. Only set for service principal federation policies

description str: Description of the federation policy
oidc_policy ServicePrincipalFederationPolicyOidcPolicyArgs
policy_id str: (string) - The ID of the federation policy
service_principal_id int: (integer) - The service principal ID that this federation policy applies to. Only set for service principal federation policies

description String: Description of the federation policy
oidcPolicy Property Map
policyId String: (string) - The ID of the federation policy
servicePrincipalId Number: (integer) - The service principal ID that this federation policy applies to. Only set for service principal federation policies

Outputs

All input properties are implicitly available as output properties. Additionally, the ServicePrincipalFederationPolicy resource produces the following output properties:

CreateTime string: (string) - Creation time of the federation policy
Id string: The provider-assigned unique ID for this managed resource.
Name string: (string) - Resource name for the federation policy. Example values include accounts/<account-id>/federationPolicies/my-federation-policy for Account Federation Policies, and accounts/<account-id>/servicePrincipals/<service-principal-id>/federationPolicies/my-federation-policy for Service Principal Federation Policies. Typically an output parameter, which does not need to be specified in create or update requests. If specified in a request, must match the value in the request URL
Uid string: (string) - Unique, immutable id of the federation policy
UpdateTime string: (string) - Last update time of the federation policy

CreateTime string: (string) - Creation time of the federation policy
Id string: The provider-assigned unique ID for this managed resource.
Name string: (string) - Resource name for the federation policy. Example values include accounts/<account-id>/federationPolicies/my-federation-policy for Account Federation Policies, and accounts/<account-id>/servicePrincipals/<service-principal-id>/federationPolicies/my-federation-policy for Service Principal Federation Policies. Typically an output parameter, which does not need to be specified in create or update requests. If specified in a request, must match the value in the request URL
Uid string: (string) - Unique, immutable id of the federation policy
UpdateTime string: (string) - Last update time of the federation policy

createTime String: (string) - Creation time of the federation policy
id String: The provider-assigned unique ID for this managed resource.
name String: (string) - Resource name for the federation policy. Example values include accounts/<account-id>/federationPolicies/my-federation-policy for Account Federation Policies, and accounts/<account-id>/servicePrincipals/<service-principal-id>/federationPolicies/my-federation-policy for Service Principal Federation Policies. Typically an output parameter, which does not need to be specified in create or update requests. If specified in a request, must match the value in the request URL
uid String: (string) - Unique, immutable id of the federation policy
updateTime String: (string) - Last update time of the federation policy

createTime string: (string) - Creation time of the federation policy
id string: The provider-assigned unique ID for this managed resource.
name string: (string) - Resource name for the federation policy. Example values include accounts/<account-id>/federationPolicies/my-federation-policy for Account Federation Policies, and accounts/<account-id>/servicePrincipals/<service-principal-id>/federationPolicies/my-federation-policy for Service Principal Federation Policies. Typically an output parameter, which does not need to be specified in create or update requests. If specified in a request, must match the value in the request URL
uid string: (string) - Unique, immutable id of the federation policy
updateTime string: (string) - Last update time of the federation policy

create_time str: (string) - Creation time of the federation policy
id str: The provider-assigned unique ID for this managed resource.
name str: (string) - Resource name for the federation policy. Example values include accounts/<account-id>/federationPolicies/my-federation-policy for Account Federation Policies, and accounts/<account-id>/servicePrincipals/<service-principal-id>/federationPolicies/my-federation-policy for Service Principal Federation Policies. Typically an output parameter, which does not need to be specified in create or update requests. If specified in a request, must match the value in the request URL
uid str: (string) - Unique, immutable id of the federation policy
update_time str: (string) - Last update time of the federation policy

createTime String: (string) - Creation time of the federation policy
id String: The provider-assigned unique ID for this managed resource.
name String: (string) - Resource name for the federation policy. Example values include accounts/<account-id>/federationPolicies/my-federation-policy for Account Federation Policies, and accounts/<account-id>/servicePrincipals/<service-principal-id>/federationPolicies/my-federation-policy for Service Principal Federation Policies. Typically an output parameter, which does not need to be specified in create or update requests. If specified in a request, must match the value in the request URL
uid String: (string) - Unique, immutable id of the federation policy
updateTime String: (string) - Last update time of the federation policy

Look up Existing ServicePrincipalFederationPolicy Resource

Get an existing ServicePrincipalFederationPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: ServicePrincipalFederationPolicyState, opts?: CustomResourceOptions): ServicePrincipalFederationPolicy

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        create_time: Optional[str] = None,
        description: Optional[str] = None,
        name: Optional[str] = None,
        oidc_policy: Optional[ServicePrincipalFederationPolicyOidcPolicyArgs] = None,
        policy_id: Optional[str] = None,
        service_principal_id: Optional[int] = None,
        uid: Optional[str] = None,
        update_time: Optional[str] = None) -> ServicePrincipalFederationPolicy

func GetServicePrincipalFederationPolicy(ctx *Context, name string, id IDInput, state *ServicePrincipalFederationPolicyState, opts ...ResourceOption) (*ServicePrincipalFederationPolicy, error)

public static ServicePrincipalFederationPolicy Get(string name, Input<string> id, ServicePrincipalFederationPolicyState? state, CustomResourceOptions? opts = null)

public static ServicePrincipalFederationPolicy get(String name, Output<String> id, ServicePrincipalFederationPolicyState state, CustomResourceOptions options)

resources:  _:    type: databricks:ServicePrincipalFederationPolicy    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

CreateTime string: (string) - Creation time of the federation policy
Description string: Description of the federation policy
Name string: (string) - Resource name for the federation policy. Example values include accounts/<account-id>/federationPolicies/my-federation-policy for Account Federation Policies, and accounts/<account-id>/servicePrincipals/<service-principal-id>/federationPolicies/my-federation-policy for Service Principal Federation Policies. Typically an output parameter, which does not need to be specified in create or update requests. If specified in a request, must match the value in the request URL
OidcPolicy ServicePrincipalFederationPolicyOidcPolicy
PolicyId string: (string) - The ID of the federation policy
ServicePrincipalId int: (integer) - The service principal ID that this federation policy applies to. Only set for service principal federation policies
Uid string: (string) - Unique, immutable id of the federation policy
UpdateTime string: (string) - Last update time of the federation policy

CreateTime string: (string) - Creation time of the federation policy
Description string: Description of the federation policy
Name string: (string) - Resource name for the federation policy. Example values include accounts/<account-id>/federationPolicies/my-federation-policy for Account Federation Policies, and accounts/<account-id>/servicePrincipals/<service-principal-id>/federationPolicies/my-federation-policy for Service Principal Federation Policies. Typically an output parameter, which does not need to be specified in create or update requests. If specified in a request, must match the value in the request URL
OidcPolicy ServicePrincipalFederationPolicyOidcPolicyArgs
PolicyId string: (string) - The ID of the federation policy
ServicePrincipalId int: (integer) - The service principal ID that this federation policy applies to. Only set for service principal federation policies
Uid string: (string) - Unique, immutable id of the federation policy
UpdateTime string: (string) - Last update time of the federation policy

createTime String: (string) - Creation time of the federation policy
description String: Description of the federation policy
name String: (string) - Resource name for the federation policy. Example values include accounts/<account-id>/federationPolicies/my-federation-policy for Account Federation Policies, and accounts/<account-id>/servicePrincipals/<service-principal-id>/federationPolicies/my-federation-policy for Service Principal Federation Policies. Typically an output parameter, which does not need to be specified in create or update requests. If specified in a request, must match the value in the request URL
oidcPolicy ServicePrincipalFederationPolicyOidcPolicy
policyId String: (string) - The ID of the federation policy
servicePrincipalId Integer: (integer) - The service principal ID that this federation policy applies to. Only set for service principal federation policies
uid String: (string) - Unique, immutable id of the federation policy
updateTime String: (string) - Last update time of the federation policy

createTime string: (string) - Creation time of the federation policy
description string: Description of the federation policy
name string: (string) - Resource name for the federation policy. Example values include accounts/<account-id>/federationPolicies/my-federation-policy for Account Federation Policies, and accounts/<account-id>/servicePrincipals/<service-principal-id>/federationPolicies/my-federation-policy for Service Principal Federation Policies. Typically an output parameter, which does not need to be specified in create or update requests. If specified in a request, must match the value in the request URL
oidcPolicy ServicePrincipalFederationPolicyOidcPolicy
policyId string: (string) - The ID of the federation policy
servicePrincipalId number: (integer) - The service principal ID that this federation policy applies to. Only set for service principal federation policies
uid string: (string) - Unique, immutable id of the federation policy
updateTime string: (string) - Last update time of the federation policy

create_time str: (string) - Creation time of the federation policy
description str: Description of the federation policy
name str: (string) - Resource name for the federation policy. Example values include accounts/<account-id>/federationPolicies/my-federation-policy for Account Federation Policies, and accounts/<account-id>/servicePrincipals/<service-principal-id>/federationPolicies/my-federation-policy for Service Principal Federation Policies. Typically an output parameter, which does not need to be specified in create or update requests. If specified in a request, must match the value in the request URL
oidc_policy ServicePrincipalFederationPolicyOidcPolicyArgs
policy_id str: (string) - The ID of the federation policy
service_principal_id int: (integer) - The service principal ID that this federation policy applies to. Only set for service principal federation policies
uid str: (string) - Unique, immutable id of the federation policy
update_time str: (string) - Last update time of the federation policy

createTime String: (string) - Creation time of the federation policy
description String: Description of the federation policy
name String: (string) - Resource name for the federation policy. Example values include accounts/<account-id>/federationPolicies/my-federation-policy for Account Federation Policies, and accounts/<account-id>/servicePrincipals/<service-principal-id>/federationPolicies/my-federation-policy for Service Principal Federation Policies. Typically an output parameter, which does not need to be specified in create or update requests. If specified in a request, must match the value in the request URL
oidcPolicy Property Map
policyId String: (string) - The ID of the federation policy
servicePrincipalId Number: (integer) - The service principal ID that this federation policy applies to. Only set for service principal federation policies
uid String: (string) - Unique, immutable id of the federation policy
updateTime String: (string) - Last update time of the federation policy

Supporting Types

ServicePrincipalFederationPolicyOidcPolicy, ServicePrincipalFederationPolicyOidcPolicyArgs

Audiences List<string>: The allowed token audiences, as specified in the 'aud' claim of federated tokens. The audience identifier is intended to represent the recipient of the token. Can be any non-empty string value. As long as the audience in the token matches at least one audience in the policy, the token is considered a match. If audiences is unspecified, defaults to your Databricks account id
Issuer string: The required token issuer, as specified in the 'iss' claim of federated tokens
JwksJson string: The public keys used to validate the signature of federated tokens, in JWKS format. Most use cases should not need to specify this field. If jwks_uri and jwks_json are both unspecified (recommended), Databricks automatically fetches the public keys from your issuer’s well known endpoint. Databricks strongly recommends relying on your issuer’s well known endpoint for discovering public keys
JwksUri string: URL of the public keys used to validate the signature of federated tokens, in JWKS format. Most use cases should not need to specify this field. If jwks_uri and jwks_json are both unspecified (recommended), Databricks automatically fetches the public keys from your issuer’s well known endpoint. Databricks strongly recommends relying on your issuer’s well known endpoint for discovering public keys
Subject string: The required token subject, as specified in the subject claim of federated tokens. Must be specified for service principal federation policies. Must not be specified for account federation policies
SubjectClaim string: The claim that contains the subject of the token. If unspecified, the default value is 'sub'

Audiences []string: The allowed token audiences, as specified in the 'aud' claim of federated tokens. The audience identifier is intended to represent the recipient of the token. Can be any non-empty string value. As long as the audience in the token matches at least one audience in the policy, the token is considered a match. If audiences is unspecified, defaults to your Databricks account id
Issuer string: The required token issuer, as specified in the 'iss' claim of federated tokens
JwksJson string: The public keys used to validate the signature of federated tokens, in JWKS format. Most use cases should not need to specify this field. If jwks_uri and jwks_json are both unspecified (recommended), Databricks automatically fetches the public keys from your issuer’s well known endpoint. Databricks strongly recommends relying on your issuer’s well known endpoint for discovering public keys
JwksUri string: URL of the public keys used to validate the signature of federated tokens, in JWKS format. Most use cases should not need to specify this field. If jwks_uri and jwks_json are both unspecified (recommended), Databricks automatically fetches the public keys from your issuer’s well known endpoint. Databricks strongly recommends relying on your issuer’s well known endpoint for discovering public keys
Subject string: The required token subject, as specified in the subject claim of federated tokens. Must be specified for service principal federation policies. Must not be specified for account federation policies
SubjectClaim string: The claim that contains the subject of the token. If unspecified, the default value is 'sub'

audiences List<String>: The allowed token audiences, as specified in the 'aud' claim of federated tokens. The audience identifier is intended to represent the recipient of the token. Can be any non-empty string value. As long as the audience in the token matches at least one audience in the policy, the token is considered a match. If audiences is unspecified, defaults to your Databricks account id
issuer String: The required token issuer, as specified in the 'iss' claim of federated tokens
jwksJson String: The public keys used to validate the signature of federated tokens, in JWKS format. Most use cases should not need to specify this field. If jwks_uri and jwks_json are both unspecified (recommended), Databricks automatically fetches the public keys from your issuer’s well known endpoint. Databricks strongly recommends relying on your issuer’s well known endpoint for discovering public keys
jwksUri String: URL of the public keys used to validate the signature of federated tokens, in JWKS format. Most use cases should not need to specify this field. If jwks_uri and jwks_json are both unspecified (recommended), Databricks automatically fetches the public keys from your issuer’s well known endpoint. Databricks strongly recommends relying on your issuer’s well known endpoint for discovering public keys
subject String: The required token subject, as specified in the subject claim of federated tokens. Must be specified for service principal federation policies. Must not be specified for account federation policies
subjectClaim String: The claim that contains the subject of the token. If unspecified, the default value is 'sub'

audiences string[]: The allowed token audiences, as specified in the 'aud' claim of federated tokens. The audience identifier is intended to represent the recipient of the token. Can be any non-empty string value. As long as the audience in the token matches at least one audience in the policy, the token is considered a match. If audiences is unspecified, defaults to your Databricks account id
issuer string: The required token issuer, as specified in the 'iss' claim of federated tokens
jwksJson string: The public keys used to validate the signature of federated tokens, in JWKS format. Most use cases should not need to specify this field. If jwks_uri and jwks_json are both unspecified (recommended), Databricks automatically fetches the public keys from your issuer’s well known endpoint. Databricks strongly recommends relying on your issuer’s well known endpoint for discovering public keys
jwksUri string: URL of the public keys used to validate the signature of federated tokens, in JWKS format. Most use cases should not need to specify this field. If jwks_uri and jwks_json are both unspecified (recommended), Databricks automatically fetches the public keys from your issuer’s well known endpoint. Databricks strongly recommends relying on your issuer’s well known endpoint for discovering public keys
subject string: The required token subject, as specified in the subject claim of federated tokens. Must be specified for service principal federation policies. Must not be specified for account federation policies
subjectClaim string: The claim that contains the subject of the token. If unspecified, the default value is 'sub'

audiences Sequence[str]: The allowed token audiences, as specified in the 'aud' claim of federated tokens. The audience identifier is intended to represent the recipient of the token. Can be any non-empty string value. As long as the audience in the token matches at least one audience in the policy, the token is considered a match. If audiences is unspecified, defaults to your Databricks account id
issuer str: The required token issuer, as specified in the 'iss' claim of federated tokens
jwks_json str: The public keys used to validate the signature of federated tokens, in JWKS format. Most use cases should not need to specify this field. If jwks_uri and jwks_json are both unspecified (recommended), Databricks automatically fetches the public keys from your issuer’s well known endpoint. Databricks strongly recommends relying on your issuer’s well known endpoint for discovering public keys
jwks_uri str: URL of the public keys used to validate the signature of federated tokens, in JWKS format. Most use cases should not need to specify this field. If jwks_uri and jwks_json are both unspecified (recommended), Databricks automatically fetches the public keys from your issuer’s well known endpoint. Databricks strongly recommends relying on your issuer’s well known endpoint for discovering public keys
subject str: The required token subject, as specified in the subject claim of federated tokens. Must be specified for service principal federation policies. Must not be specified for account federation policies
subject_claim str: The claim that contains the subject of the token. If unspecified, the default value is 'sub'

audiences List<String>: The allowed token audiences, as specified in the 'aud' claim of federated tokens. The audience identifier is intended to represent the recipient of the token. Can be any non-empty string value. As long as the audience in the token matches at least one audience in the policy, the token is considered a match. If audiences is unspecified, defaults to your Databricks account id
issuer String: The required token issuer, as specified in the 'iss' claim of federated tokens
jwksJson String: The public keys used to validate the signature of federated tokens, in JWKS format. Most use cases should not need to specify this field. If jwks_uri and jwks_json are both unspecified (recommended), Databricks automatically fetches the public keys from your issuer’s well known endpoint. Databricks strongly recommends relying on your issuer’s well known endpoint for discovering public keys
jwksUri String: URL of the public keys used to validate the signature of federated tokens, in JWKS format. Most use cases should not need to specify this field. If jwks_uri and jwks_json are both unspecified (recommended), Databricks automatically fetches the public keys from your issuer’s well known endpoint. Databricks strongly recommends relying on your issuer’s well known endpoint for discovering public keys
subject String: The required token subject, as specified in the subject claim of federated tokens. Must be specified for service principal federation policies. Must not be specified for account federation policies
subjectClaim String: The claim that contains the subject of the token. If unspecified, the default value is 'sub'

Import

As of Pulumi v1.5, resources can be imported through configuration.

hcl

import {

id = “service_principal_id,policy_id”

to = databricks_service_principal_federation_policy.this

}

If you are using an older version of Pulumi, import the resource using the pulumi import command as follows:

$ pulumi import databricks:index/servicePrincipalFederationPolicy:ServicePrincipalFederationPolicy databricks_service_principal_federation_policy "service_principal_id,policy_id"

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: databricks pulumi/pulumi-databricks
License: Apache-2.0
Notes: This Pulumi package is based on the databricks Terraform Provider.

Databricks v1.75.0 published on Thursday, Sep 11, 2025 by Pulumi

pulumi/pulumi-databricks

databricks.ServicePrincipalFederationPolicy

On this page

On this page

Example Usage

Create ServicePrincipalFederationPolicy Resource

Constructor syntax

Parameters

Constructor example

ServicePrincipalFederationPolicy Resource Properties

Inputs

Outputs

Look up Existing ServicePrincipalFederationPolicy Resource

Supporting Types

ServicePrincipalFederationPolicyOidcPolicy, ServicePrincipalFederationPolicyOidcPolicyArgs

Import

Package Details

On this page

On this page