Manage delegated credential configurations using the account console (E2)

Preview

The account console for E2 accounts is in Public Preview.

This article describes how to use the account console to create and configure a cross-account IAM role and reference it in a credential configuration that gives Databricks limited access to your AWS account for the purposes of creating and managing compute and VPC resources.

Note

This article describes the process for accounts on the E2 version of the Databricks platform, using the account console. To learn how to create credential configurations using the Account API, see Create a new workspace using the Account API. For other versions of the platform, see Configure your AWS account (cross-account IAM role). All new Databricks accounts and most existing accounts are now E2. If you are unsure which account type you have, contact your Databricks representative.

A credential configuration consists of IDs for an AWS cross-account IAM role in your account. That role must include a policy that gives Databricks limited access to resources in your account.

Before you can create a Databricks workspace, you must create the IAM role and credential configuration.

Create an IAM role

Follow the instructions in Create a cross-account IAM role.

Note

These instructions give you three role policy options, which depend on whether you want to use the default Databricks-managed VPC or provide your own VPC. The typical deployment uses the Databricks-managed VPC.

Create a credential configuration

When you have created the IAM role, you can tell Databricks about it by creating a credential configuration that uses that role’s IDs.

Note

These instructions show you how to create the credential configuration from the Account Settings page in the account console before you create a new workspace. You can also create the credential configuration in a similar way as part of the flow of creating a new workspace. See Create and manage workspaces using the account console.

To create a credential configuration:

  1. Go to the account console, click Account Settings, and click Credential configurations.
  2. Click Add Credential configuration.
  3. In the Name field, enter a human-readable name for your new credential configuration.
  4. In the Role ARN field, enter your role’s ARN.
  5. Click Add.

View credential configurations

  1. Go to the account console, click Account Settings, and click Credential configurations.

    All credential configurations are listed, with Role ARN and Created date displayed for each.

  2. Click the credential configuration name to view more details.

    Validation is not run during credential configuration creation. Some errors are detected only when you use the configuration to create a new workspace, such as invalid ARN or the role not having the right permissions.

Delete a credential configuration

Credential configurations cannot be edited after creation. If the configuration has incorrect data or if you no longer need it, delete the credential configuration:

  1. Go to the account console, click Account Settings, and click Credential configurations.

  2. On the credential configuration row, click the Actions menu icon, and select Delete.

    You can also click the credential configuration name and click Delete on the pop-up dialog.

  3. On the confirmation dialog, click Confirm Delete.