databricks.getAwsUnityCatalogPolicy

Explore with Pulumi AI

Databricks v1.67.0 published on Thursday, Apr 17, 2025 by Pulumi

Example Usage

TypeScript
Python
Go
C#
Java
YAML

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as databricks from "@pulumi/databricks";

const _this = databricks.getAwsUnityCatalogPolicy({
    awsAccountId: awsAccountId,
    bucketName: "databricks-bucket",
    roleName: `${prefix}-uc-access`,
    kmsName: "arn:aws:kms:us-west-2:111122223333:key/databricks-kms",
});
const thisGetAwsUnityCatalogAssumeRolePolicy = databricks.getAwsUnityCatalogAssumeRolePolicy({
    awsAccountId: awsAccountId,
    roleName: `${prefix}-uc-access`,
    externalId: "12345",
});
const unityMetastore = new aws.iam.Policy("unity_metastore", {
    name: `${prefix}-unity-catalog-metastore-access-iam-policy`,
    policy: _this.then(_this => _this.json),
});
const metastoreDataAccess = new aws.iam.Role("metastore_data_access", {
    name: `${prefix}-uc-access`,
    assumeRolePolicy: thisGetAwsUnityCatalogAssumeRolePolicy.then(thisGetAwsUnityCatalogAssumeRolePolicy => thisGetAwsUnityCatalogAssumeRolePolicy.json),
    managedPolicyArns: [unityMetastore.arn],
});

import pulumi
import pulumi_aws as aws
import pulumi_databricks as databricks

this = databricks.get_aws_unity_catalog_policy(aws_account_id=aws_account_id,
    bucket_name="databricks-bucket",
    role_name=f"{prefix}-uc-access",
    kms_name="arn:aws:kms:us-west-2:111122223333:key/databricks-kms")
this_get_aws_unity_catalog_assume_role_policy = databricks.get_aws_unity_catalog_assume_role_policy(aws_account_id=aws_account_id,
    role_name=f"{prefix}-uc-access",
    external_id="12345")
unity_metastore = aws.iam.Policy("unity_metastore",
    name=f"{prefix}-unity-catalog-metastore-access-iam-policy",
    policy=this.json)
metastore_data_access = aws.iam.Role("metastore_data_access",
    name=f"{prefix}-uc-access",
    assume_role_policy=this_get_aws_unity_catalog_assume_role_policy.json,
    managed_policy_arns=[unity_metastore.arn])

package main

import (
	"fmt"

	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
	"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		this, err := databricks.GetAwsUnityCatalogPolicy(ctx, &databricks.GetAwsUnityCatalogPolicyArgs{
			AwsAccountId: awsAccountId,
			BucketName:   "databricks-bucket",
			RoleName:     fmt.Sprintf("%v-uc-access", prefix),
			KmsName:      pulumi.StringRef("arn:aws:kms:us-west-2:111122223333:key/databricks-kms"),
		}, nil)
		if err != nil {
			return err
		}
		thisGetAwsUnityCatalogAssumeRolePolicy, err := databricks.GetAwsUnityCatalogAssumeRolePolicy(ctx, &databricks.GetAwsUnityCatalogAssumeRolePolicyArgs{
			AwsAccountId: awsAccountId,
			RoleName:     fmt.Sprintf("%v-uc-access", prefix),
			ExternalId:   "12345",
		}, nil)
		if err != nil {
			return err
		}
		unityMetastore, err := iam.NewPolicy(ctx, "unity_metastore", &iam.PolicyArgs{
			Name:   pulumi.Sprintf("%v-unity-catalog-metastore-access-iam-policy", prefix),
			Policy: pulumi.String(this.Json),
		})
		if err != nil {
			return err
		}
		_, err = iam.NewRole(ctx, "metastore_data_access", &iam.RoleArgs{
			Name:             pulumi.Sprintf("%v-uc-access", prefix),
			AssumeRolePolicy: pulumi.String(thisGetAwsUnityCatalogAssumeRolePolicy.Json),
			ManagedPolicyArns: pulumi.StringArray{
				unityMetastore.Arn,
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
using Databricks = Pulumi.Databricks;

return await Deployment.RunAsync(() => 
{
    var @this = Databricks.GetAwsUnityCatalogPolicy.Invoke(new()
    {
        AwsAccountId = awsAccountId,
        BucketName = "databricks-bucket",
        RoleName = $"{prefix}-uc-access",
        KmsName = "arn:aws:kms:us-west-2:111122223333:key/databricks-kms",
    });

    var thisGetAwsUnityCatalogAssumeRolePolicy = Databricks.GetAwsUnityCatalogAssumeRolePolicy.Invoke(new()
    {
        AwsAccountId = awsAccountId,
        RoleName = $"{prefix}-uc-access",
        ExternalId = "12345",
    });

    var unityMetastore = new Aws.Iam.Policy("unity_metastore", new()
    {
        Name = $"{prefix}-unity-catalog-metastore-access-iam-policy",
        PolicyDocument = @this.Apply(@this => @this.Apply(getAwsUnityCatalogPolicyResult => getAwsUnityCatalogPolicyResult.Json)),
    });

    var metastoreDataAccess = new Aws.Iam.Role("metastore_data_access", new()
    {
        Name = $"{prefix}-uc-access",
        AssumeRolePolicy = thisGetAwsUnityCatalogAssumeRolePolicy.Apply(getAwsUnityCatalogAssumeRolePolicyResult => getAwsUnityCatalogAssumeRolePolicyResult.Json),
        ManagedPolicyArns = new[]
        {
            unityMetastore.Arn,
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.databricks.DatabricksFunctions;
import com.pulumi.databricks.inputs.GetAwsUnityCatalogPolicyArgs;
import com.pulumi.databricks.inputs.GetAwsUnityCatalogAssumeRolePolicyArgs;
import com.pulumi.aws.iam.Policy;
import com.pulumi.aws.iam.PolicyArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var this = DatabricksFunctions.getAwsUnityCatalogPolicy(GetAwsUnityCatalogPolicyArgs.builder()
            .awsAccountId(awsAccountId)
            .bucketName("databricks-bucket")
            .roleName(String.format("%s-uc-access", prefix))
            .kmsName("arn:aws:kms:us-west-2:111122223333:key/databricks-kms")
            .build());

        final var thisGetAwsUnityCatalogAssumeRolePolicy = DatabricksFunctions.getAwsUnityCatalogAssumeRolePolicy(GetAwsUnityCatalogAssumeRolePolicyArgs.builder()
            .awsAccountId(awsAccountId)
            .roleName(String.format("%s-uc-access", prefix))
            .externalId("12345")
            .build());

        var unityMetastore = new Policy("unityMetastore", PolicyArgs.builder()
            .name(String.format("%s-unity-catalog-metastore-access-iam-policy", prefix))
            .policy(this_.json())
            .build());

        var metastoreDataAccess = new Role("metastoreDataAccess", RoleArgs.builder()
            .name(String.format("%s-uc-access", prefix))
            .assumeRolePolicy(thisGetAwsUnityCatalogAssumeRolePolicy.json())
            .managedPolicyArns(unityMetastore.arn())
            .build());

    }
}

resources:
  unityMetastore:
    type: aws:iam:Policy
    name: unity_metastore
    properties:
      name: ${prefix}-unity-catalog-metastore-access-iam-policy
      policy: ${this.json}
  metastoreDataAccess:
    type: aws:iam:Role
    name: metastore_data_access
    properties:
      name: ${prefix}-uc-access
      assumeRolePolicy: ${thisGetAwsUnityCatalogAssumeRolePolicy.json}
      managedPolicyArns:
        - ${unityMetastore.arn}
variables:
  this:
    fn::invoke:
      function: databricks:getAwsUnityCatalogPolicy
      arguments:
        awsAccountId: ${awsAccountId}
        bucketName: databricks-bucket
        roleName: ${prefix}-uc-access
        kmsName: arn:aws:kms:us-west-2:111122223333:key/databricks-kms
  thisGetAwsUnityCatalogAssumeRolePolicy:
    fn::invoke:
      function: databricks:getAwsUnityCatalogAssumeRolePolicy
      arguments:
        awsAccountId: ${awsAccountId}
        roleName: ${prefix}-uc-access
        externalId: '12345'

Using getAwsUnityCatalogPolicy

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

TypeScript
Python
Go
C#
Java
YAML

function getAwsUnityCatalogPolicy(args: GetAwsUnityCatalogPolicyArgs, opts?: InvokeOptions): Promise<GetAwsUnityCatalogPolicyResult>
function getAwsUnityCatalogPolicyOutput(args: GetAwsUnityCatalogPolicyOutputArgs, opts?: InvokeOptions): Output<GetAwsUnityCatalogPolicyResult>

def get_aws_unity_catalog_policy(aws_account_id: Optional[str] = None,
                                 aws_partition: Optional[str] = None,
                                 bucket_name: Optional[str] = None,
                                 kms_name: Optional[str] = None,
                                 role_name: Optional[str] = None,
                                 opts: Optional[InvokeOptions] = None) -> GetAwsUnityCatalogPolicyResult
def get_aws_unity_catalog_policy_output(aws_account_id: Optional[pulumi.Input[str]] = None,
                                 aws_partition: Optional[pulumi.Input[str]] = None,
                                 bucket_name: Optional[pulumi.Input[str]] = None,
                                 kms_name: Optional[pulumi.Input[str]] = None,
                                 role_name: Optional[pulumi.Input[str]] = None,
                                 opts: Optional[InvokeOptions] = None) -> Output[GetAwsUnityCatalogPolicyResult]

func GetAwsUnityCatalogPolicy(ctx *Context, args *GetAwsUnityCatalogPolicyArgs, opts ...InvokeOption) (*GetAwsUnityCatalogPolicyResult, error)
func GetAwsUnityCatalogPolicyOutput(ctx *Context, args *GetAwsUnityCatalogPolicyOutputArgs, opts ...InvokeOption) GetAwsUnityCatalogPolicyResultOutput

> Note: This function is named GetAwsUnityCatalogPolicy in the Go SDK.

public static class GetAwsUnityCatalogPolicy 
{
    public static Task<GetAwsUnityCatalogPolicyResult> InvokeAsync(GetAwsUnityCatalogPolicyArgs args, InvokeOptions? opts = null)
    public static Output<GetAwsUnityCatalogPolicyResult> Invoke(GetAwsUnityCatalogPolicyInvokeArgs args, InvokeOptions? opts = null)
}

public static CompletableFuture<GetAwsUnityCatalogPolicyResult> getAwsUnityCatalogPolicy(GetAwsUnityCatalogPolicyArgs args, InvokeOptions options)
public static Output<GetAwsUnityCatalogPolicyResult> getAwsUnityCatalogPolicy(GetAwsUnityCatalogPolicyArgs args, InvokeOptions options)

fn::invoke:
  function: databricks:index/getAwsUnityCatalogPolicy:getAwsUnityCatalogPolicy
  arguments:
    # arguments dictionary

The following arguments are supported:

AwsAccountId string: The Account ID of the current AWS account (not your Databricks account).
BucketName string: The name of the S3 bucket used as root storage location for managed tables in Unity Catalog.
RoleName string: The name of the AWS IAM role that you created in the previous step in the official documentation.
AwsPartition string: AWS partition. The options are aws, aws-us-gov, or aws-us-gov-dod. Defaults to aws
KmsName string: If encryption is enabled, provide the ARN of the KMS key that encrypts the S3 bucket contents. If encryption is disabled, do not provide this argument.

AwsAccountId string: The Account ID of the current AWS account (not your Databricks account).
BucketName string: The name of the S3 bucket used as root storage location for managed tables in Unity Catalog.
RoleName string: The name of the AWS IAM role that you created in the previous step in the official documentation.
AwsPartition string: AWS partition. The options are aws, aws-us-gov, or aws-us-gov-dod. Defaults to aws
KmsName string: If encryption is enabled, provide the ARN of the KMS key that encrypts the S3 bucket contents. If encryption is disabled, do not provide this argument.

awsAccountId String: The Account ID of the current AWS account (not your Databricks account).
bucketName String: The name of the S3 bucket used as root storage location for managed tables in Unity Catalog.
roleName String: The name of the AWS IAM role that you created in the previous step in the official documentation.
awsPartition String: AWS partition. The options are aws, aws-us-gov, or aws-us-gov-dod. Defaults to aws
kmsName String: If encryption is enabled, provide the ARN of the KMS key that encrypts the S3 bucket contents. If encryption is disabled, do not provide this argument.

awsAccountId string: The Account ID of the current AWS account (not your Databricks account).
bucketName string: The name of the S3 bucket used as root storage location for managed tables in Unity Catalog.
roleName string: The name of the AWS IAM role that you created in the previous step in the official documentation.
awsPartition string: AWS partition. The options are aws, aws-us-gov, or aws-us-gov-dod. Defaults to aws
kmsName string: If encryption is enabled, provide the ARN of the KMS key that encrypts the S3 bucket contents. If encryption is disabled, do not provide this argument.

aws_account_id str: The Account ID of the current AWS account (not your Databricks account).
bucket_name str: The name of the S3 bucket used as root storage location for managed tables in Unity Catalog.
role_name str: The name of the AWS IAM role that you created in the previous step in the official documentation.
aws_partition str: AWS partition. The options are aws, aws-us-gov, or aws-us-gov-dod. Defaults to aws
kms_name str: If encryption is enabled, provide the ARN of the KMS key that encrypts the S3 bucket contents. If encryption is disabled, do not provide this argument.

awsAccountId String: The Account ID of the current AWS account (not your Databricks account).
bucketName String: The name of the S3 bucket used as root storage location for managed tables in Unity Catalog.
roleName String: The name of the AWS IAM role that you created in the previous step in the official documentation.
awsPartition String: AWS partition. The options are aws, aws-us-gov, or aws-us-gov-dod. Defaults to aws
kmsName String: If encryption is enabled, provide the ARN of the KMS key that encrypts the S3 bucket contents. If encryption is disabled, do not provide this argument.

getAwsUnityCatalogPolicy Result

The following output properties are available:

AwsAccountId string
BucketName string
Id string: The provider-assigned unique ID for this managed resource.
Json string: AWS IAM Policy JSON document
RoleName string
AwsPartition string
KmsName string

AwsAccountId string
BucketName string
Id string: The provider-assigned unique ID for this managed resource.
Json string: AWS IAM Policy JSON document
RoleName string
AwsPartition string
KmsName string

awsAccountId String
bucketName String
id String: The provider-assigned unique ID for this managed resource.
json String: AWS IAM Policy JSON document
roleName String
awsPartition String
kmsName String

awsAccountId string
bucketName string
id string: The provider-assigned unique ID for this managed resource.
json string: AWS IAM Policy JSON document
roleName string
awsPartition string
kmsName string

aws_account_id str
bucket_name str
id str: The provider-assigned unique ID for this managed resource.
json str: AWS IAM Policy JSON document
role_name str
aws_partition str
kms_name str

awsAccountId String
bucketName String
id String: The provider-assigned unique ID for this managed resource.
json String: AWS IAM Policy JSON document
roleName String
awsPartition String
kmsName String

Package Details

Repository: databricks pulumi/pulumi-databricks
License: Apache-2.0
Notes: This Pulumi package is based on the databricks Terraform Provider.

Databricks v1.67.0 published on Thursday, Apr 17, 2025 by Pulumi

pulumi/pulumi-databricks

databricks.getAwsUnityCatalogPolicy

On this page

On this page

Example Usage

Using getAwsUnityCatalogPolicy

getAwsUnityCatalogPolicy Result

Package Details

On this page

On this page