Skip to main content
Last updated on

recipient-federation-policies command group

note

This information applies to Databricks CLI versions 0.205 and above. The Databricks CLI is in Public Preview.

Databricks CLI use is subject to the Databricks License and Databricks Privacy Notice, including any Usage Data provisions.

The recipient-federation-policies command group within the Databricks CLI contains commands to manage federation policies for OIDC recipients in the open sharing model. These commands are only applicable where the recipient object has the authentication type of OIDC_RECIPIENT, enabling data sharing from Databricks to non-Databricks recipients. See Use Open ID Connect (OIDC) federation to enable authentication to Delta Sharing shares (open sharing).

databricks recipient-federation-policies create

Create a federation policy for an OIDC_FEDERATION recipient for sharing data from Databricks to non-Databricks recipients. The caller must be the owner of the recipient.

When sharing data from Databricks to non-Databricks clients, you can define a federation policy to authenticate non-Databricks recipients. The federation policy validates OIDC claims in federated tokens and is defined at the recipient level. This enables secretless sharing clients to authenticate using OIDC tokens.

Supported scenarios for federation policies:

  1. User-to-Machine (U2M) flow (e.g., PowerBI): A user accesses a resource using their own identity.
  2. Machine-to-Machine (M2M) flow (e.g., OAuth App): An OAuth App accesses a resource using its own identity, typically for tasks like running nightly jobs.

For detailed configuration guides based on your use case, see:

databricks recipient-federation-policies create RECIPIENT_NAME [flags]

Arguments

RECIPIENT_NAME

    Name of the recipient. This is the name of the recipient for which the policy is being created.

Options

--comment string

    Description of the policy.

--json JSON

    The inline JSON string or the @path to the JSON file with the request body

--name string

    Name of the federation policy.

Global flags

Examples

The following example creates a federation policy for a recipient:

Bash
databricks recipient-federation-policies create my_recipient --name "my_policy" --comment "Policy for PowerBI users"

The following example creates a federation policy using JSON:

Bash
databricks recipient-federation-policies create my_recipient --json '{"name": "m2m_policy", "comment": "Policy for automated jobs", "claims": [{"key": "aud", "value": "my-app-id"}]}'

The following example creates a federation policy using a JSON file:

Bash
databricks recipient-federation-policies create my_recipient --json @federation-policy.json

databricks recipient-federation-policies delete

Delete an existing federation policy for an OIDC_FEDERATION recipient. The caller must be the owner of the recipient.

databricks recipient-federation-policies delete RECIPIENT_NAME NAME [flags]

Arguments

RECIPIENT_NAME

    Name of the recipient. This is the name of the recipient for which the policy is being deleted.

NAME

    Name of the policy. This is the name of the policy to be deleted.

Options

Global flags

Examples

The following example deletes a federation policy:

Bash
databricks recipient-federation-policies delete my_recipient my_policy

databricks recipient-federation-policies get-federation-policy

Get an existing federation policy for an OIDC_FEDERATION recipient for sharing data from Databricks to non-Databricks recipients. The caller must have read access to the recipient.

databricks recipient-federation-policies get-federation-policy RECIPIENT_NAME NAME [flags]

Arguments

RECIPIENT_NAME

    Name of the recipient. This is the name of the recipient for which the policy is being retrieved.

NAME

    Name of the policy. This is the name of the policy to be retrieved.

Options

Global flags

Examples

The following example gets a federation policy:

Bash
databricks recipient-federation-policies get-federation-policy my_recipient my_policy

databricks recipient-federation-policies list

List federation policies for an OIDC_FEDERATION recipient for sharing data from Databricks to non-Databricks recipients. The caller must have read access to the recipient.

databricks recipient-federation-policies list RECIPIENT_NAME [flags]

Arguments

RECIPIENT_NAME

    Name of the recipient. This is the name of the recipient for which the policies are being listed.

Options

--max-results int

    Maximum number of policies to return per page.

--page-token string

    Token to retrieve the next page of results.

Global flags

Examples

The following example lists all federation policies for a recipient:

Bash
databricks recipient-federation-policies list my_recipient

The following example lists federation policies with pagination:

Bash
databricks recipient-federation-policies list my_recipient --max-results 10

Global flags

--debug

  Whether to enable debug logging.

-h or --help

    Display help for the Databricks CLI or the related command group or the related command.

--log-file string

    A string representing the file to write output logs to. If this flag is not specified then the default is to write output logs to stderr.

--log-format format

    The log format type, text or json. The default value is text.

--log-level string

    A string representing the log format level. If not specified then the log format level is disabled.

-o, --output type

    The command output type, text or json. The default value is text.

-p, --profile string

    The name of the profile in the ~/.databrickscfg file to use to run the command. If this flag is not specified then if it exists, the profile named DEFAULT is used.

--progress-format format

    The format to display progress logs: default, append, inplace, or json

-t, --target string

    If applicable, the bundle target to use