SCIM API (ServicePrincipals)

Preview

This feature is in Public Preview.

SCIM (ServicePrincipals) lets you manage Databricks service principals. An admin user can also create or revoke a personal access token on behalf of a service principal.

Requirements

Get service principals

Endpoint HTTP Method
2.0/preview/scim/v2/ServicePrincipals GET

Retrieve a list of all service principals in the Databricks workspace.

When invoked by a non-admin user, only the username, user display name, and object are returned.

Examples

curl --netrc -X GET \
https://<databricks-instance>/api/2.0/preview/scim/v2/ServicePrincipals \
| jq .

You can use filters to specify subsets of service principals. For example, you can apply the eq (equals) filter parameter to applicationId to retrieve a specific service principal:

curl --netrc -X GET \
"https://<databricks-instance>/api/2.0/preview/scim/v2/ServicePrincipals?filter=applicationId+eq+<application-id>" \
| jq .

In workspaces with a large number of service principals, you can exclude attributes from the request to improve performance.

curl --netrc -X GET \
"https://<databricks-instance>/api/2.0/preview/scim/v2/ServicePrincipals?excludedAttributes=entitlements,groups" \
| jq .

Replace:

  • <databricks-instance> with the Databricks workspace instance name, for example dbc-a1b2345c-d6e7.cloud.databricks.com.
  • <application-id> with the applicationId value of the service principal, for example 12345a67-8b9c-0d1e-23fa-4567b89cde01.

These examples use a .netrc file and jq.

Get service principal by ID

Endpoint HTTP Method
2.0/preview/scim/v2/ServicePrincipals/{id} GET

Retrieve a single service principal resource from the Databricks workspace, given a service principal ID.

Example

curl --netrc -X GET \
https://<databricks-instance>/api/2.0/preview/scim/v2/ServicePrincipals/<service-principal-id> \
| jq .

Replace:

  • <databricks-instance> with the Databricks workspace instance name, for example dbc-a1b2345c-d6e7.cloud.databricks.com.
  • <service-principal-id> with the ID of the service principal, for example 2345678901234567. To get the service principal ID, call Get service principals.

This example uses a .netrc file and jq.

Create service principal

Create a service principal in the Databricks workspace. Service principals count toward the limit of 10000 users per workspace.

Request parameters follow the standard SCIM 2.0 protocol.

Note

Do not specify applicationId; it is randomly generated.

Endpoint HTTP Method
2.0/preview/scim/v2/ServicePrincipals POST

Example

curl --netrc -X POST \
https://<databricks-instance>/api/2.0/preview/scim/v2/ServicePrincipals \
--header 'Content-type: application/scim+json' \
--data @create-service-principal.json \
| jq .

create-service-principal.json:

{
  "displayName": "<display-name>",
  "entitlements": [
    {
      "value": "allow-cluster-create"
    }
  ],
  "groups": [
    {
      "value": "<group-id>"
    }
  ],
  "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:ServicePrincipal" ],
  "active": true
}

Replace:

  • <databricks-instance> with the Databricks workspace instance name, for example dbc-a1b2345c-d6e7.cloud.databricks.com.
  • <display-name> with the display name of the service principal, for example someone@example.com.
  • <group-id> with the Databricks workspace ID of the group, for example 2345678901234567. To get the group ID, call Get groups.

This example uses a .netrc file and jq.

Update service principal by ID (PATCH)

Endpoint HTTP Method
2.0/preview/scim/v2/ServicePrincipals/{id} PATCH

Update a service principal resource with operations on specific attributes, except for applicationId and id, which are immutable.

Use the PATCH method to add, update, or remove individual attributes. Use the PUT method to overwrite the entire service principal in a single operation.

Request parameters follow the standard SCIM 2.0 protocol and depend on the value of the schemas attribute.

Add entitlements

Example

curl --netrc -X PATCH \
https://<databricks-instance>/api/2.0/preview/scim/v2/ServicePrincipals/<service-principal-id> \
--header 'Content-type: application/scim+json' \
--data @change-service-principal.json \
| jq .

change-service-principal.json:

{
  "schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ],
  "Operations": [
    {
      "op": "add",
      "path": "entitlements",
      "value": [
        {
          "value": "allow-cluster-create"
        }
      ]
    }
  ]
}

Replace:

  • <databricks-instance> with the Databricks workspace instance name, for example dbc-a1b2345c-d6e7.cloud.databricks.com.
  • <service-principal-id> with the ID of the service principal, for example 2345678901234567. To get the service principal ID, call Get service principals.

This example uses a .netrc file and jq.

Remove entitlements

Example

curl --netrc -X PATCH \
https://<databricks-instance>/api/2.0/preview/scim/v2/ServicePrincipals/<service-principal-id> \
--header 'Content-type: application/scim+json' \
--data @change-service-principal.json \
| jq .

change-service-principal.json:

{
  "schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ],
  "Operations": [
    {
      "op": "remove",
      "path": "entitlements",
      "value": [
        {
          "value": "allow-cluster-create"
        }
      ]
    }
  ]
}

Replace:

  • <databricks-instance> with the Databricks workspace instance name, for example dbc-a1b2345c-d6e7.cloud.databricks.com.
  • <service-principal-id> with the ID of the service principal, for example 2345678901234567. To get the service principal ID, call Get service principals.

This example uses a .netrc file and jq.

Add to a group

Example

curl --netrc -X PATCH \
https://<databricks-instance>/api/2.0/preview/scim/v2/ServicePrincipals/<service-principal-id> \
--header 'Content-type: application/scim+json' \
--data @change-service-principal.json \
| jq .

change-service-principal.json:

{
  "schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ],
  "Operations": [
    {
      "op": "add",
      "path": "groups",
      "value": [
        {
          "value": "<group-id>"
        }
      ]
    }
  ]
}

Replace:

  • <databricks-instance> with the Databricks workspace instance name, for example dbc-a1b2345c-d6e7.cloud.databricks.com.
  • <service-principal-id> with the ID of the service principal, for example 2345678901234567. To get the service principal ID, call Get service principals.
  • <group-id> with the Databricks workspace ID of the group, for example 2345678901234567. To get the group ID, call Get groups.

This example uses a .netrc file and jq.

Remove from a group

Example

curl --netrc -X PATCH \
https://<databricks-instance>/api/2.0/preview/scim/v2/Groups/<group-id> \
--header 'Content-type: application/scim+json' \
--data @remove-from-group.json \
| jq .

remove-from-group.json:

{
  "schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ],
  "Operations": [
    {
      "op": "remove",
      "path": "members[value eq \"<service-principal-id>\"]"
    }
  ]
}

Replace:

  • <databricks-instance> with the Databricks workspace instance name, for example dbc-a1b2345c-d6e7.cloud.databricks.com.
  • <group-id> with the Databricks workspace ID of the group, for example 2345678901234567. To get the group ID, call Get groups.
  • <service-principal-id> with the ID of the service principal, for example 2345678901234567. To get the service principal ID, call Get service principals.

This example uses a .netrc file and jq.

Deactivate service principal by ID

To deactivate a service principal, set its active attribute to false. Deactivated service principals are not automatically purged.

curl --netrc -X PATCH \
https://<databricks-instance>/api/2.0/preview/scim/v2/ServicePrincipals/<service-principal-id> \
--header 'Content-type: application/scim+json' \
--data @deactivate-service-principal.json \
| jq .

deactivate-service-principal.json:

{
  "schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ],
  "Operations": [
    {
      "op": "replace",
      "path": "active",
      "value": [
        {
          "value": "false"
        }
      ]
    }
  ]
}

Replace:

  • <databricks-instance> with the Databricks workspace instance name, for example dbc-a1b2345c-d6e7.cloud.databricks.com.
  • <service-principal-id> with the ID of the service principal, for example 2345678901234567. To get the service principal ID, call Get service principals.

This example uses a .netrc file and jq.

Update service principal by ID (PUT)

Endpoint HTTP Method
2.0/preview/scim/v2/ServicePrincipals/{id} PUT

Overwrite the entire service principal resource, except for applicationId and id, which are immutable.

Use the PATCH method to add, update, or remove individual attributes.

Important

You must include the schemas attribute in the request, with the exact value urn:ietf:params:scim:schemas:core:2.0:ServicePrincipal.

Examples

Add an entitlement

curl --netrc -X PUT \
https://<databricks-instance>/api/2.0/preview/scim/v2/ServicePrincipals/<service-principal-id> \
--header 'Content-type: application/scim+json' \
--data @update-service-principal.json \
| jq .

update-service-principal.json:

{
  "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:ServicePrincipal" ],
  "applicationId": "<appliation-id>",
  "displayName": "<display-name>",
  "groups": [
    {
      "value": "<group-id>"
    }
  ],
  "entitlements": [
    {
      "value":"allow-cluster-create"
    }
  ]
}

Replace:

  • <databricks-instance> with the Databricks workspace instance name, for example dbc-a1b2345c-d6e7.cloud.databricks.com.
  • <service-principal-id> with the ID of the service principal, for example 2345678901234567. To get the service principal ID, call Get service principals.
  • <application-id> with the applicationId value of the service principal, for example 12345a67-8b9c-0d1e-23fa-4567b89cde01.
  • <display-name> with the display name of the service principal, for example someone@example.com.
  • <group-id> with the Databricks workspace ID of the group, for example 2345678901234567. To get the group ID, call Get groups.

This example uses a .netrc file and jq.

Remove all entitlements and groups

Removing all entitlements and groups is a reversible alternative to deleting the service principal.

Use the PUT method to avoid the need to check the existing entitlements and group memberships first.

curl --netrc -X PUT \
https://<databricks-instance>/api/2.0/preview/scim/v2/ServicePrincipals/<service-principal-id> \
--header 'Content-type: application/scim+json' \
--data @update-service-principal.json \
| jq .

update-service-principal.json:

{
  "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:ServicePrincipal" ],
  "applicationId": "<application-id>",
  "displayName": "<display-name>",
  "groups": [],
  "entitlements": []
}

Replace:

  • <databricks-instance> with the Databricks workspace instance name, for example dbc-a1b2345c-d6e7.cloud.databricks.com.
  • <service-principal-id> with the ID of the service principal, for example 2345678901234567. To get the service principal ID, call Get service principals.
  • <application-id> with the applicationId value of the service principal, for example 12345a67-8b9c-0d1e-23fa-4567b89cde01.
  • <display-name> with the display name of the service principal, for example someone@example.com.

This example uses a .netrc file and jq.

Delete service principal by ID

Endpoint HTTP Method
2.0/preview/scim/v2/ServicePrincipals/{id} DELETE

Delete a service principal resource. This operation isn’t reversible.

Example

curl --netrc -X DELETE \
https://<databricks-instance>/api/2.0/preview/scim/v2/ServicePrincipals/<service-principal-id>

Replace:

  • <databricks-instance> with the Databricks workspace instance name, for example dbc-a1b2345c-d6e7.cloud.databricks.com.
  • <service-principal-id> with the ID of the service principal, for example 2345678901234567. To get the service principal ID, call Get service principals.

This example uses a .netrc file.

As a reversible alternative, you can remove all of its entitlements and groups instead of deleting the service principal.