Databricks

Create an integration to manage access to Databricks resources

Apono enables you to automate and control access to Databricks by dynamically managing group memberships through just-in-time access flows. This ensures that data analysts, data scientists, and engineers receive only the temporary, task-based access they need to work with sensitive datasets.

With Apono’s Databricks integration, you can streamline access requests, approvals, and lifecycle management for Databricks groups:

  • Enable self-service access requests by controlling resource access through Databricks group memberships

  • Enforce zero standing privileges by automatically revoking expired access

  • Discover and manage permissions across Databricks groups

Prerequisites

Item
Description

Apono connector

On-prem connection serving as a bridge between a Databricks instance and Apono:

Learn how to update an existing AWS, Azure, GCP, or Kubernetes connector.

Databricks account management URL

Accounts Management URL Example: https://aacounts.cloud.databricks.com

Databricks account ID

Unique identifier for the Databricks account Follow these steps:

  1. In your account management console, click your profile icon.

  2. Copy the Account ID under your email.

Service principal

Account for the Apono integration with admin privileges Follow these steps:

  1. In your account management console, click your workspace > Manage account. A new page opens.

  2. From the side navigation, click User management. The User management page opens.

  3. On the Service principals tab, click Add service principal. The Add service principal popup window appears.

  4. Enter the New service principal display name.

  5. Click Add service principal. The principal is created and added to the list of principals.

  6. Click the name of the principal.

  7. On the Roles tab, click the Account Admin toggle to ON.

  8. Grant principal access:

    1. On the Permissions tab, click Grant accesss. The Grant access to others pop-up window appears.

    2. From the User, Group or Service Principal dropdown menu, select the principal.

    3. From the Permission dropdown menu, select Service Principal: Manager.

    4. Click Save.

Databricks credentials

Client ID and secret used to securely authenticate the service principal Follow these steps:

  1. On the Credentials & secrets tab of the service principal, click Generate secret. The Generate OAuth secret popup window opens.

  2. Enter the Lifetime (days) duration of the secret.

  3. Click Generate. The Generate OAuth secret popup window is replaced by the Generate secret popup window.

  4. Copy the Secret and Client ID.

Create your secret based on your secret and client ID key:

"client_id": "<DATABRICKS_CLIENT_ID>",

"client_secret": "<DATABRICKS_SECRET>"

Integrate Databricks

Databricks tile

You can also use the steps below to integrate with Apono using Terraform.

In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.

Follow these steps to complete the integration:

  1. On the Catalog tab, click Databricks. The Connect Integration page appears.

  2. Under Discovery, click Next. The Apono connector section expands.

  3. From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.

If the desired connector is not listed, click + Add new connector and follow the instructions for creating a connector (AWS, Azure, GCP, Kubernetes).

  1. Click Next. The Integration Config section expands.

  2. Define the Integration Config settings.

    Setting
    Description

    Integration Name

    Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow

    Databricks Accounts URL

    Accounts Management URL

    Example: https://aacounts.cloud.databricks.com

    Account Id

    Unique identifier for the Databricks account

  3. Click Next. The Secret Store section expands.

  4. Associate the secret or credentials.

If you select the Apono secret manager, enter your Databricks Secret and Client Id.

  1. Click Next. The Get more with Apono section expands.

  2. Define the Get more with Apono settings.

    Setting
    Description

    Custom Access Details

    (Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.

    Integration Owner

    (Optional) Fallback approver if no resource owner is found Follow these steps to define one or several integration owners:

    1. From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.

    2. From the Value dropdown menu, select one or multiple users or groups.

    NOTE: When Resource Owner is defined, an Integration Owner must be defined.

    Resource Owner

    (Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several resource owners:

    1. Enter a Key name. This value is the name of the tag created in your cloud environment.

    2. From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.

    NOTE: When this setting is defined, an Integration Owner must also be defined.

  3. Click Confirm.

💡Are you integrating with Apono using Terraform?

If you want to integrate with Apono using Terraform, follow these steps instead of clicking Confirm:

  1. At the top of the screen, click View as Code. A modal appears with the completed Terraform configuration code.

  2. Click to copy the code.

  3. Make any additional edits.

  4. Deploy the code in your Terraform.

Refer to Integration Config Metadata for more details about the schema definition.

Now that you have completed this integration, you can create access flows that manage Databricks group memberships to control access to resources.

PreviousElastic CloudNextNetwork Management

Last updated

Was this helpful?