[DOC] Run Databricks Azure Git Job as Service Principal not possible

[minico-dev]

Affected Resource(s)

databricks_job databricks_git_credential

Expected Details

I have used Terraform to create a Databricks Job in my workspace. Without explicitly specifying the run_as block in the job specification, the job is run by the Service Principal that was used for creating the job through Terraform. It is also possible to explicitly specify a Service Principal for the run_as parameter. However, there seems to be no way for such an account to obtain an Azure DevOps PAT to use in their AzureDevOpsServices git_credentials. It is only possible for them to create an Azure AD token (see included Factoids below). This token usually has a short lifetime and will not work as a static token in git credentials, because it would require a new token for every interaction with the repo. It is therefore not possible for a Service Principal to run any job that includes running code sourced from a Azure DevOps Git Repository. The job will fail with an error that it does not have permission to checkout the Git repository. This limitation is not mentioned anywhere in either the databricks_job or databricks_git_credential resources.

List of things to potentially add/remove:

• [ ] Specify that Azure Service Principals cannot create PAT tokens and therefore not create their own git_credentials
• [ ] Specify that running a job that sources code from an AzureDevOpsServices repo cannot be performed by a Service Principal due to the limitation above

Important Factoids

This Microsoft acticle specifies that Service principals can't create tokens, like personal access tokens (PATs) or SSH Keys. They can generate their own Azure AD tokens and these tokens can be used to call Azure DevOps REST APIs. (located just above the FAQ section). The same article also includes a question Q: Can I use a service principal to do git operations, like clone a repo? to which the answer is to generate a (short lifetime) Azure AD token for git operations.