@databricks/sdk-keyconfigurations 0.0.0-dev → 0.1.0-dev.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +203 -0
- package/dist/v1/client.d.ts +55 -0
- package/dist/v1/client.d.ts.map +1 -0
- package/dist/v1/client.js +163 -0
- package/dist/v1/client.js.map +1 -0
- package/dist/v1/index.d.ts +4 -0
- package/dist/v1/index.d.ts.map +1 -0
- package/dist/v1/index.js +4 -0
- package/dist/v1/index.js.map +1 -0
- package/dist/v1/model.d.ts +188 -0
- package/dist/v1/model.d.ts.map +1 -0
- package/dist/v1/model.js +186 -0
- package/dist/v1/model.js.map +1 -0
- package/dist/v1/transport.d.ts +5 -0
- package/dist/v1/transport.d.ts.map +1 -0
- package/dist/v1/transport.js +57 -0
- package/dist/v1/transport.js.map +1 -0
- package/dist/v1/utils.d.ts +21 -0
- package/dist/v1/utils.d.ts.map +1 -0
- package/dist/v1/utils.js +113 -0
- package/dist/v1/utils.js.map +1 -0
- package/package.json +38 -4
- package/src/v1/client.ts +209 -0
- package/src/v1/index.ts +22 -0
- package/src/v1/model.ts +373 -0
- package/src/v1/transport.ts +73 -0
- package/src/v1/utils.ts +156 -0
- package/README.md +0 -1
- package/index.js +0 -1
package/src/v1/client.ts
ADDED
|
@@ -0,0 +1,209 @@
|
|
|
1
|
+
// Code generated from API definition by Databricks SDK Generator. DO NOT EDIT.
|
|
2
|
+
|
|
3
|
+
import {VERSION as AUTH_VERSION} from '@databricks/sdk-auth';
|
|
4
|
+
import {createDefault} from '@databricks/sdk-core/clientinfo';
|
|
5
|
+
import type {Logger} from '@databricks/sdk-core/logger';
|
|
6
|
+
import {NoOpLogger} from '@databricks/sdk-core/logger';
|
|
7
|
+
import type {CallOptions} from '@databricks/sdk-options/call';
|
|
8
|
+
import type {ClientOptions} from '@databricks/sdk-options/client';
|
|
9
|
+
import type {HttpClient} from '@databricks/sdk-core/http';
|
|
10
|
+
import {newHttpClient} from './transport';
|
|
11
|
+
import {
|
|
12
|
+
buildHttpRequest,
|
|
13
|
+
executeCall,
|
|
14
|
+
executeHttpCall,
|
|
15
|
+
marshalRequest,
|
|
16
|
+
parseResponse,
|
|
17
|
+
} from './utils';
|
|
18
|
+
import pkgJson from '../../package.json' with {type: 'json'};
|
|
19
|
+
import {z} from 'zod';
|
|
20
|
+
import type {
|
|
21
|
+
CreateCustomerManagedKeyRequest,
|
|
22
|
+
CustomerManagedKey,
|
|
23
|
+
DeleteCustomerManagedKeyRequest,
|
|
24
|
+
GetCustomerManagedKeyRequest,
|
|
25
|
+
ListCustomerManagedKeyRequest,
|
|
26
|
+
ListCustomerManagedKeyResponse,
|
|
27
|
+
} from './model';
|
|
28
|
+
import {
|
|
29
|
+
marshalCreateCustomerManagedKeyRequestSchema,
|
|
30
|
+
unmarshalCustomerManagedKeySchema,
|
|
31
|
+
} from './model';
|
|
32
|
+
|
|
33
|
+
// Package identity segment for this client to be used in the User-Agent header.
|
|
34
|
+
const PACKAGE_SEGMENT = {
|
|
35
|
+
key: 'sdk-js-' + pkgJson.name.replace(/^@[^/]+\/sdk-/, ''),
|
|
36
|
+
value: pkgJson.version,
|
|
37
|
+
};
|
|
38
|
+
|
|
39
|
+
export class KeyConfigurationsClient {
|
|
40
|
+
private readonly host: string;
|
|
41
|
+
// Fallback for endpoints whose path contains {account_id}. If the request
|
|
42
|
+
// already carries an accountId, that value wins.
|
|
43
|
+
private readonly accountId: string | undefined;
|
|
44
|
+
private readonly httpClient: HttpClient;
|
|
45
|
+
private readonly logger: Logger;
|
|
46
|
+
// User-Agent header value. Composed once at construction from
|
|
47
|
+
// createDefault() merged with this package's identity and the active
|
|
48
|
+
// credential's name.
|
|
49
|
+
private readonly userAgent: string;
|
|
50
|
+
|
|
51
|
+
constructor(options: ClientOptions) {
|
|
52
|
+
if (options.host === undefined) {
|
|
53
|
+
throw new Error('Host is required.');
|
|
54
|
+
}
|
|
55
|
+
this.host = options.host.replace(/\/$/, '');
|
|
56
|
+
this.accountId = options.accountId;
|
|
57
|
+
this.logger = options.logger ?? new NoOpLogger();
|
|
58
|
+
const info = createDefault()
|
|
59
|
+
.with(PACKAGE_SEGMENT)
|
|
60
|
+
.with({key: 'sdk-js-auth', value: AUTH_VERSION})
|
|
61
|
+
.with({key: 'auth', value: options.credentials?.name() ?? 'default'});
|
|
62
|
+
this.userAgent = info.toString();
|
|
63
|
+
this.httpClient = newHttpClient(options);
|
|
64
|
+
}
|
|
65
|
+
|
|
66
|
+
/**
|
|
67
|
+
* Creates a customer-managed key configuration object for an account, specified by ID.
|
|
68
|
+
* This operation uploads a reference to a customer-managed key to <Databricks>.
|
|
69
|
+
* If the key is assigned as a workspace's customer-managed key for managed services,
|
|
70
|
+
* <Databricks> uses the key to encrypt the workspaces notebooks and secrets in the control plane,
|
|
71
|
+
* in addition to Databricks SQL queries and query history. If it is specified as a
|
|
72
|
+
* workspace's customer-managed key for workspace storage, the key encrypts the
|
|
73
|
+
* workspace's root S3 bucket (which contains the workspace's root DBFS and system data)
|
|
74
|
+
* and, optionally, cluster EBS volume data.
|
|
75
|
+
*
|
|
76
|
+
* **Important**: Customer-managed keys are supported only for some deployment types,
|
|
77
|
+
* subscription types, and AWS regions that currently support creation of <Databricks> workspaces.
|
|
78
|
+
*
|
|
79
|
+
* This operation is available only if your account is on the E2 version of the
|
|
80
|
+
* platform or on a select custom plan that allows multiple workspaces per account.
|
|
81
|
+
*
|
|
82
|
+
* **GCP only**: To create a customer-managed key on GCP, you must include the
|
|
83
|
+
* `X-Databricks-GCP-SA-Access-Token` HTTP header in your request. This header must contain
|
|
84
|
+
* a Google Cloud OAuth access token with the `cloud-platform` scope. The Google identity
|
|
85
|
+
* associated with the token must also have the `setIamPermissions` and `getIamPermissions`
|
|
86
|
+
* IAM permissions on the key resource. For details on obtaining this token, see
|
|
87
|
+
* [Authenticate with Google ID tokens](https://docs.databricks.com/gcp/en/dev-tools/auth/authentication-google-id.html).
|
|
88
|
+
*/
|
|
89
|
+
async createCustomerManagedKeyPublic(
|
|
90
|
+
req: CreateCustomerManagedKeyRequest,
|
|
91
|
+
options?: CallOptions
|
|
92
|
+
): Promise<CustomerManagedKey> {
|
|
93
|
+
const url = `${this.host}/api/2.0/accounts/${req.accountId ?? this.accountId ?? ''}/customer-managed-keys`;
|
|
94
|
+
const body = marshalRequest(
|
|
95
|
+
req,
|
|
96
|
+
marshalCreateCustomerManagedKeyRequestSchema
|
|
97
|
+
);
|
|
98
|
+
let resp: CustomerManagedKey | undefined;
|
|
99
|
+
const call = async (callSignal?: AbortSignal): Promise<void> => {
|
|
100
|
+
const headers = new Headers({'Content-Type': 'application/json'});
|
|
101
|
+
headers.set('User-Agent', this.userAgent);
|
|
102
|
+
const httpReq = buildHttpRequest('POST', url, headers, callSignal, body);
|
|
103
|
+
const respBody = await executeHttpCall({
|
|
104
|
+
request: httpReq,
|
|
105
|
+
httpClient: this.httpClient,
|
|
106
|
+
logger: this.logger,
|
|
107
|
+
});
|
|
108
|
+
resp = parseResponse(respBody, unmarshalCustomerManagedKeySchema);
|
|
109
|
+
};
|
|
110
|
+
await executeCall(call, options);
|
|
111
|
+
if (resp === undefined) {
|
|
112
|
+
throw new Error('operation completed without a result.');
|
|
113
|
+
}
|
|
114
|
+
return resp;
|
|
115
|
+
}
|
|
116
|
+
|
|
117
|
+
/** Deletes a customer-managed key configuration object for an account. You cannot delete a configuration that is associated with a running workspace. */
|
|
118
|
+
async deleteCustomerManagedKeyPublic(
|
|
119
|
+
req: DeleteCustomerManagedKeyRequest,
|
|
120
|
+
options?: CallOptions
|
|
121
|
+
): Promise<CustomerManagedKey> {
|
|
122
|
+
const url = `${this.host}/api/2.0/accounts/${req.accountId ?? this.accountId ?? ''}/customer-managed-keys/${req.customerManagedKeyId ?? ''}`;
|
|
123
|
+
let resp: CustomerManagedKey | undefined;
|
|
124
|
+
const call = async (callSignal?: AbortSignal): Promise<void> => {
|
|
125
|
+
const headers = new Headers();
|
|
126
|
+
headers.set('User-Agent', this.userAgent);
|
|
127
|
+
const httpReq = buildHttpRequest('DELETE', url, headers, callSignal);
|
|
128
|
+
const respBody = await executeHttpCall({
|
|
129
|
+
request: httpReq,
|
|
130
|
+
httpClient: this.httpClient,
|
|
131
|
+
logger: this.logger,
|
|
132
|
+
});
|
|
133
|
+
resp = parseResponse(respBody, unmarshalCustomerManagedKeySchema);
|
|
134
|
+
};
|
|
135
|
+
await executeCall(call, options);
|
|
136
|
+
if (resp === undefined) {
|
|
137
|
+
throw new Error('operation completed without a result.');
|
|
138
|
+
}
|
|
139
|
+
return resp;
|
|
140
|
+
}
|
|
141
|
+
|
|
142
|
+
/**
|
|
143
|
+
* Gets a customer-managed key configuration object for an account, specified by ID.
|
|
144
|
+
* This operation uploads a reference to a customer-managed key to <Databricks>.
|
|
145
|
+
* If assigned as a workspace's customer-managed key for managed services, <Databricks> uses the
|
|
146
|
+
* key to encrypt the workspaces notebooks and secrets in the control plane, in addition to
|
|
147
|
+
* Databricks SQL queries and query history. If it is specified as a workspace's
|
|
148
|
+
* customer-managed key for storage, the key encrypts the workspace's root S3 bucket
|
|
149
|
+
* (which contains the workspace's root DBFS and system data) and, optionally, cluster EBS volume data.
|
|
150
|
+
*
|
|
151
|
+
* **Important**: Customer-managed keys are supported only for some deployment types,
|
|
152
|
+
* subscription types, and AWS regions.
|
|
153
|
+
*
|
|
154
|
+
* This operation is available only if your account is on the E2 version of the platform.",
|
|
155
|
+
*/
|
|
156
|
+
async getCustomerManagedKeyPublic(
|
|
157
|
+
req: GetCustomerManagedKeyRequest,
|
|
158
|
+
options?: CallOptions
|
|
159
|
+
): Promise<CustomerManagedKey> {
|
|
160
|
+
const url = `${this.host}/api/2.0/accounts/${req.accountId ?? this.accountId ?? ''}/customer-managed-keys/${req.customerManagedKeyId ?? ''}`;
|
|
161
|
+
let resp: CustomerManagedKey | undefined;
|
|
162
|
+
const call = async (callSignal?: AbortSignal): Promise<void> => {
|
|
163
|
+
const headers = new Headers();
|
|
164
|
+
headers.set('User-Agent', this.userAgent);
|
|
165
|
+
const httpReq = buildHttpRequest('GET', url, headers, callSignal);
|
|
166
|
+
const respBody = await executeHttpCall({
|
|
167
|
+
request: httpReq,
|
|
168
|
+
httpClient: this.httpClient,
|
|
169
|
+
logger: this.logger,
|
|
170
|
+
});
|
|
171
|
+
resp = parseResponse(respBody, unmarshalCustomerManagedKeySchema);
|
|
172
|
+
};
|
|
173
|
+
await executeCall(call, options);
|
|
174
|
+
if (resp === undefined) {
|
|
175
|
+
throw new Error('operation completed without a result.');
|
|
176
|
+
}
|
|
177
|
+
return resp;
|
|
178
|
+
}
|
|
179
|
+
|
|
180
|
+
/** Lists <Databricks> customer-managed key configurations for an account. */
|
|
181
|
+
async listCustomerManagedKeyPublic(
|
|
182
|
+
req: ListCustomerManagedKeyRequest,
|
|
183
|
+
options?: CallOptions
|
|
184
|
+
): Promise<ListCustomerManagedKeyResponse> {
|
|
185
|
+
const url = `${this.host}/api/2.0/accounts/${req.accountId ?? this.accountId ?? ''}/customer-managed-keys`;
|
|
186
|
+
let resp: ListCustomerManagedKeyResponse | undefined;
|
|
187
|
+
const call = async (callSignal?: AbortSignal): Promise<void> => {
|
|
188
|
+
const headers = new Headers();
|
|
189
|
+
headers.set('User-Agent', this.userAgent);
|
|
190
|
+
const httpReq = buildHttpRequest('GET', url, headers, callSignal);
|
|
191
|
+
const respBody = await executeHttpCall({
|
|
192
|
+
request: httpReq,
|
|
193
|
+
httpClient: this.httpClient,
|
|
194
|
+
logger: this.logger,
|
|
195
|
+
});
|
|
196
|
+
resp = {
|
|
197
|
+
customerManagedKeys: parseResponse(
|
|
198
|
+
respBody,
|
|
199
|
+
z.array(z.lazy(() => unmarshalCustomerManagedKeySchema))
|
|
200
|
+
),
|
|
201
|
+
};
|
|
202
|
+
};
|
|
203
|
+
await executeCall(call, options);
|
|
204
|
+
if (resp === undefined) {
|
|
205
|
+
throw new Error('operation completed without a result.');
|
|
206
|
+
}
|
|
207
|
+
return resp;
|
|
208
|
+
}
|
|
209
|
+
}
|
package/src/v1/index.ts
ADDED
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
// Code generated from API definition by Databricks SDK Generator. DO NOT EDIT.
|
|
2
|
+
|
|
3
|
+
export {KeyConfigurationsClient} from './client';
|
|
4
|
+
|
|
5
|
+
export {CmkUseCase} from './model';
|
|
6
|
+
|
|
7
|
+
export type {
|
|
8
|
+
AwsKeyInfo,
|
|
9
|
+
AzureKeyInfo,
|
|
10
|
+
CreateAwsKeyInfo,
|
|
11
|
+
CreateAzureKeyInfo,
|
|
12
|
+
CreateCustomerManagedKeyRequest,
|
|
13
|
+
CreateGcpKeyInfo,
|
|
14
|
+
CustomerManagedKey,
|
|
15
|
+
DeleteCustomerManagedKeyRequest,
|
|
16
|
+
GcpKeyInfo,
|
|
17
|
+
GcpServiceAccount,
|
|
18
|
+
GetCustomerManagedKeyRequest,
|
|
19
|
+
KeyAccessConfiguration,
|
|
20
|
+
ListCustomerManagedKeyRequest,
|
|
21
|
+
ListCustomerManagedKeyResponse,
|
|
22
|
+
} from './model';
|
package/src/v1/model.ts
ADDED
|
@@ -0,0 +1,373 @@
|
|
|
1
|
+
// Code generated from API definition by Databricks SDK Generator. DO NOT EDIT.
|
|
2
|
+
|
|
3
|
+
import {z} from 'zod';
|
|
4
|
+
|
|
5
|
+
export enum CmkUseCase {
|
|
6
|
+
/** Encryption for the control plane resources. */
|
|
7
|
+
MANAGED_SERVICES = 'MANAGED_SERVICES',
|
|
8
|
+
/** Encryption for the customer cloud resources. */
|
|
9
|
+
STORAGE = 'STORAGE',
|
|
10
|
+
}
|
|
11
|
+
|
|
12
|
+
export interface AwsKeyInfo {
|
|
13
|
+
/** The AWS KMS key's Amazon Resource Name (ARN). */
|
|
14
|
+
keyArn?: string | undefined;
|
|
15
|
+
/** The AWS KMS key alias. */
|
|
16
|
+
keyAlias?: string | undefined;
|
|
17
|
+
/** The AWS KMS key region. */
|
|
18
|
+
keyRegion?: string | undefined;
|
|
19
|
+
/**
|
|
20
|
+
* This field applies only if the `use_cases` property includes `STORAGE`. If this is set to true or omitted, the key is also used to encrypt
|
|
21
|
+
* cluster EBS volumes. If you do not want to use this key for encrypting EBS volumes, set to false.
|
|
22
|
+
*/
|
|
23
|
+
reuseKeyForClusterVolumes?: boolean | undefined;
|
|
24
|
+
}
|
|
25
|
+
|
|
26
|
+
export interface AzureKeyInfo {
|
|
27
|
+
/** The base URI of the KeyVault. */
|
|
28
|
+
keyVaultUri?: string | undefined;
|
|
29
|
+
/** The name of the key in KeyVault. */
|
|
30
|
+
keyName?: string | undefined;
|
|
31
|
+
/** The current key version. */
|
|
32
|
+
version?: string | undefined;
|
|
33
|
+
/** The tenant id where the KeyVault lives. */
|
|
34
|
+
tenantId?: string | undefined;
|
|
35
|
+
/**
|
|
36
|
+
* The Disk Encryption Set id that is used to represent the key info used for
|
|
37
|
+
* Managed Disk BYOK use case
|
|
38
|
+
*/
|
|
39
|
+
diskEncryptionSetId?: string | undefined;
|
|
40
|
+
/**
|
|
41
|
+
* The structure to store key access credential
|
|
42
|
+
* This is set if the Managed Identity is being used to access the Azure Key Vault key.
|
|
43
|
+
*/
|
|
44
|
+
keyAccessConfiguration?: KeyAccessConfiguration | undefined;
|
|
45
|
+
}
|
|
46
|
+
|
|
47
|
+
export interface CreateAwsKeyInfo {
|
|
48
|
+
/** The AWS KMS key's Amazon Resource Name (ARN). */
|
|
49
|
+
keyArn?: string | undefined;
|
|
50
|
+
/** The AWS KMS key alias. */
|
|
51
|
+
keyAlias?: string | undefined;
|
|
52
|
+
/** The AWS KMS key region. */
|
|
53
|
+
keyRegion?: string | undefined;
|
|
54
|
+
/**
|
|
55
|
+
* This field applies only if the `use_cases` property includes `STORAGE`. If this is set to true or omitted, the key is also used to encrypt
|
|
56
|
+
* cluster EBS volumes. If you do not want to use this key for encrypting EBS volumes, set to false.
|
|
57
|
+
*/
|
|
58
|
+
reuseKeyForClusterVolumes?: boolean | undefined;
|
|
59
|
+
}
|
|
60
|
+
|
|
61
|
+
export interface CreateAzureKeyInfo {
|
|
62
|
+
/** The base URI of the KeyVault. */
|
|
63
|
+
keyVaultUri?: string | undefined;
|
|
64
|
+
/** The name of the key in KeyVault. */
|
|
65
|
+
keyName?: string | undefined;
|
|
66
|
+
/** The current key version. */
|
|
67
|
+
version?: string | undefined;
|
|
68
|
+
/** The tenant id where the KeyVault lives. */
|
|
69
|
+
tenantId?: string | undefined;
|
|
70
|
+
/**
|
|
71
|
+
* The Disk Encryption Set id that is used to represent the key info used for
|
|
72
|
+
* Managed Disk BYOK use case
|
|
73
|
+
*/
|
|
74
|
+
diskEncryptionSetId?: string | undefined;
|
|
75
|
+
/**
|
|
76
|
+
* The structure to store key access credential
|
|
77
|
+
* This is set if the Managed Identity is being used to access the Azure Key Vault key.
|
|
78
|
+
*/
|
|
79
|
+
keyAccessConfiguration?: KeyAccessConfiguration | undefined;
|
|
80
|
+
}
|
|
81
|
+
|
|
82
|
+
export interface CreateCustomerManagedKeyRequest {
|
|
83
|
+
accountId?: string | undefined;
|
|
84
|
+
/**
|
|
85
|
+
* (-- The key information. Exactly one of aws_key_info, gcp_key_info, or
|
|
86
|
+
* azure_key_info must be set, matching the cloud of the account. --)
|
|
87
|
+
*/
|
|
88
|
+
keyInfo?:
|
|
89
|
+
| {$case: 'awsKeyInfo'; awsKeyInfo: CreateAwsKeyInfo}
|
|
90
|
+
| {$case: 'gcpKeyInfo'; gcpKeyInfo: CreateGcpKeyInfo}
|
|
91
|
+
| {$case: 'azureKeyInfo'; azureKeyInfo: CreateAzureKeyInfo}
|
|
92
|
+
| undefined;
|
|
93
|
+
/** The cases that the key can be used for. */
|
|
94
|
+
useCases?: CmkUseCase[] | undefined;
|
|
95
|
+
}
|
|
96
|
+
|
|
97
|
+
export interface CreateGcpKeyInfo {
|
|
98
|
+
/**
|
|
99
|
+
* Globally unique kms key resource id of the form
|
|
100
|
+
* projects/testProjectId/locations/us-east4/keyRings/gcpCmkKeyRing/cryptoKeys/cmk-eastus4
|
|
101
|
+
*/
|
|
102
|
+
kmsKeyId?: string | undefined;
|
|
103
|
+
/**
|
|
104
|
+
* Globally unique service account email that has access to the KMS key.
|
|
105
|
+
* The service account exists within the Databricks CP project.
|
|
106
|
+
*/
|
|
107
|
+
gcpServiceAccount?: GcpServiceAccount | undefined;
|
|
108
|
+
/**
|
|
109
|
+
* When true, <Databricks> will not use OAuth to grant the service account
|
|
110
|
+
* access to the KMS key. The customer is responsible for granting access
|
|
111
|
+
* manually.
|
|
112
|
+
*/
|
|
113
|
+
manual?: boolean | undefined;
|
|
114
|
+
}
|
|
115
|
+
|
|
116
|
+
export interface CustomerManagedKey {
|
|
117
|
+
/** ID of the encryption key configuration object. */
|
|
118
|
+
customerManagedKeyId?: string | undefined;
|
|
119
|
+
/** Time in epoch milliseconds when the customer key was created. */
|
|
120
|
+
creationTime?: bigint | undefined;
|
|
121
|
+
/** The <Databricks> account ID that holds the customer-managed key. */
|
|
122
|
+
accountId?: string | undefined;
|
|
123
|
+
/**
|
|
124
|
+
* (-- The key information, if aws_key_info is defined, it's a AWS Databricks object.
|
|
125
|
+
* If azure_key_info is defined, it's an Azure Databricks customer key object. --)
|
|
126
|
+
*/
|
|
127
|
+
keyInfo?:
|
|
128
|
+
| {$case: 'awsKeyInfo'; awsKeyInfo: AwsKeyInfo}
|
|
129
|
+
| {$case: 'azureKeyInfo'; azureKeyInfo: AzureKeyInfo}
|
|
130
|
+
| {$case: 'gcpKeyInfo'; gcpKeyInfo: GcpKeyInfo}
|
|
131
|
+
| undefined;
|
|
132
|
+
/** The cases that the key can be used for. */
|
|
133
|
+
useCases?: CmkUseCase[] | undefined;
|
|
134
|
+
}
|
|
135
|
+
|
|
136
|
+
export interface DeleteCustomerManagedKeyRequest {
|
|
137
|
+
/** <Databricks> encryption key configuration ID. */
|
|
138
|
+
customerManagedKeyId?: string | undefined;
|
|
139
|
+
accountId?: string | undefined;
|
|
140
|
+
}
|
|
141
|
+
|
|
142
|
+
export interface GcpKeyInfo {
|
|
143
|
+
/**
|
|
144
|
+
* Globally unique kms key resource id of the form
|
|
145
|
+
* projects/testProjectId/locations/us-east4/keyRings/gcpCmkKeyRing/cryptoKeys/cmk-eastus4
|
|
146
|
+
*/
|
|
147
|
+
kmsKeyId?: string | undefined;
|
|
148
|
+
/**
|
|
149
|
+
* Globally unique service account email that has access to the KMS key.
|
|
150
|
+
* The service account exists within the Databricks CP project.
|
|
151
|
+
*/
|
|
152
|
+
gcpServiceAccount?: GcpServiceAccount | undefined;
|
|
153
|
+
/**
|
|
154
|
+
* When true, <Databricks> will not use OAuth to grant the service account
|
|
155
|
+
* access to the KMS key. The customer is responsible for granting access
|
|
156
|
+
* manually.
|
|
157
|
+
*/
|
|
158
|
+
manual?: boolean | undefined;
|
|
159
|
+
}
|
|
160
|
+
|
|
161
|
+
export interface GcpServiceAccount {
|
|
162
|
+
serviceAccountEmail?: string | undefined;
|
|
163
|
+
}
|
|
164
|
+
|
|
165
|
+
export interface GetCustomerManagedKeyRequest {
|
|
166
|
+
/** <Databricks> encryption key configuration ID. */
|
|
167
|
+
customerManagedKeyId?: string | undefined;
|
|
168
|
+
accountId?: string | undefined;
|
|
169
|
+
}
|
|
170
|
+
|
|
171
|
+
/** The credential ID that is used to access the key vault. */
|
|
172
|
+
export interface KeyAccessConfiguration {
|
|
173
|
+
credentialId?: string | undefined;
|
|
174
|
+
}
|
|
175
|
+
|
|
176
|
+
export interface ListCustomerManagedKeyRequest {
|
|
177
|
+
accountId?: string | undefined;
|
|
178
|
+
}
|
|
179
|
+
|
|
180
|
+
export interface ListCustomerManagedKeyResponse {
|
|
181
|
+
customerManagedKeys?: CustomerManagedKey[] | undefined;
|
|
182
|
+
}
|
|
183
|
+
|
|
184
|
+
export const unmarshalAwsKeyInfoSchema: z.ZodType<AwsKeyInfo> = z
|
|
185
|
+
.object({
|
|
186
|
+
key_arn: z.string().optional(),
|
|
187
|
+
key_alias: z.string().optional(),
|
|
188
|
+
key_region: z.string().optional(),
|
|
189
|
+
reuse_key_for_cluster_volumes: z.boolean().optional(),
|
|
190
|
+
})
|
|
191
|
+
.transform(d => ({
|
|
192
|
+
keyArn: d.key_arn,
|
|
193
|
+
keyAlias: d.key_alias,
|
|
194
|
+
keyRegion: d.key_region,
|
|
195
|
+
reuseKeyForClusterVolumes: d.reuse_key_for_cluster_volumes,
|
|
196
|
+
}));
|
|
197
|
+
|
|
198
|
+
export const unmarshalAzureKeyInfoSchema: z.ZodType<AzureKeyInfo> = z
|
|
199
|
+
.object({
|
|
200
|
+
key_vault_uri: z.string().optional(),
|
|
201
|
+
key_name: z.string().optional(),
|
|
202
|
+
version: z.string().optional(),
|
|
203
|
+
tenant_id: z.string().optional(),
|
|
204
|
+
disk_encryption_set_id: z.string().optional(),
|
|
205
|
+
key_access_configuration: z
|
|
206
|
+
.lazy(() => unmarshalKeyAccessConfigurationSchema)
|
|
207
|
+
.optional(),
|
|
208
|
+
})
|
|
209
|
+
.transform(d => ({
|
|
210
|
+
keyVaultUri: d.key_vault_uri,
|
|
211
|
+
keyName: d.key_name,
|
|
212
|
+
version: d.version,
|
|
213
|
+
tenantId: d.tenant_id,
|
|
214
|
+
diskEncryptionSetId: d.disk_encryption_set_id,
|
|
215
|
+
keyAccessConfiguration: d.key_access_configuration,
|
|
216
|
+
}));
|
|
217
|
+
|
|
218
|
+
export const unmarshalCustomerManagedKeySchema: z.ZodType<CustomerManagedKey> =
|
|
219
|
+
z
|
|
220
|
+
.object({
|
|
221
|
+
customer_managed_key_id: z.string().optional(),
|
|
222
|
+
creation_time: z
|
|
223
|
+
.union([z.number(), z.bigint()])
|
|
224
|
+
.transform(v => BigInt(v))
|
|
225
|
+
.optional(),
|
|
226
|
+
account_id: z.string().optional(),
|
|
227
|
+
aws_key_info: z.lazy(() => unmarshalAwsKeyInfoSchema).optional(),
|
|
228
|
+
azure_key_info: z.lazy(() => unmarshalAzureKeyInfoSchema).optional(),
|
|
229
|
+
gcp_key_info: z.lazy(() => unmarshalGcpKeyInfoSchema).optional(),
|
|
230
|
+
use_cases: z.array(z.enum(CmkUseCase)).optional(),
|
|
231
|
+
})
|
|
232
|
+
.transform(d => ({
|
|
233
|
+
customerManagedKeyId: d.customer_managed_key_id,
|
|
234
|
+
creationTime: d.creation_time,
|
|
235
|
+
accountId: d.account_id,
|
|
236
|
+
keyInfo:
|
|
237
|
+
d.aws_key_info !== undefined
|
|
238
|
+
? {$case: 'awsKeyInfo' as const, awsKeyInfo: d.aws_key_info}
|
|
239
|
+
: d.azure_key_info !== undefined
|
|
240
|
+
? {$case: 'azureKeyInfo' as const, azureKeyInfo: d.azure_key_info}
|
|
241
|
+
: d.gcp_key_info !== undefined
|
|
242
|
+
? {$case: 'gcpKeyInfo' as const, gcpKeyInfo: d.gcp_key_info}
|
|
243
|
+
: undefined,
|
|
244
|
+
useCases: d.use_cases,
|
|
245
|
+
}));
|
|
246
|
+
|
|
247
|
+
export const unmarshalGcpKeyInfoSchema: z.ZodType<GcpKeyInfo> = z
|
|
248
|
+
.object({
|
|
249
|
+
kms_key_id: z.string().optional(),
|
|
250
|
+
gcp_service_account: z
|
|
251
|
+
.lazy(() => unmarshalGcpServiceAccountSchema)
|
|
252
|
+
.optional(),
|
|
253
|
+
manual: z.boolean().optional(),
|
|
254
|
+
})
|
|
255
|
+
.transform(d => ({
|
|
256
|
+
kmsKeyId: d.kms_key_id,
|
|
257
|
+
gcpServiceAccount: d.gcp_service_account,
|
|
258
|
+
manual: d.manual,
|
|
259
|
+
}));
|
|
260
|
+
|
|
261
|
+
export const unmarshalGcpServiceAccountSchema: z.ZodType<GcpServiceAccount> = z
|
|
262
|
+
.object({
|
|
263
|
+
service_account_email: z.string().optional(),
|
|
264
|
+
})
|
|
265
|
+
.transform(d => ({
|
|
266
|
+
serviceAccountEmail: d.service_account_email,
|
|
267
|
+
}));
|
|
268
|
+
|
|
269
|
+
export const unmarshalKeyAccessConfigurationSchema: z.ZodType<KeyAccessConfiguration> =
|
|
270
|
+
z
|
|
271
|
+
.object({
|
|
272
|
+
credential_id: z.string().optional(),
|
|
273
|
+
})
|
|
274
|
+
.transform(d => ({
|
|
275
|
+
credentialId: d.credential_id,
|
|
276
|
+
}));
|
|
277
|
+
|
|
278
|
+
export const marshalCreateAwsKeyInfoSchema: z.ZodType = z
|
|
279
|
+
.object({
|
|
280
|
+
keyArn: z.string().optional(),
|
|
281
|
+
keyAlias: z.string().optional(),
|
|
282
|
+
keyRegion: z.string().optional(),
|
|
283
|
+
reuseKeyForClusterVolumes: z.boolean().optional(),
|
|
284
|
+
})
|
|
285
|
+
.transform(d => ({
|
|
286
|
+
key_arn: d.keyArn,
|
|
287
|
+
key_alias: d.keyAlias,
|
|
288
|
+
key_region: d.keyRegion,
|
|
289
|
+
reuse_key_for_cluster_volumes: d.reuseKeyForClusterVolumes,
|
|
290
|
+
}));
|
|
291
|
+
|
|
292
|
+
export const marshalCreateAzureKeyInfoSchema: z.ZodType = z
|
|
293
|
+
.object({
|
|
294
|
+
keyVaultUri: z.string().optional(),
|
|
295
|
+
keyName: z.string().optional(),
|
|
296
|
+
version: z.string().optional(),
|
|
297
|
+
tenantId: z.string().optional(),
|
|
298
|
+
diskEncryptionSetId: z.string().optional(),
|
|
299
|
+
keyAccessConfiguration: z
|
|
300
|
+
.lazy(() => marshalKeyAccessConfigurationSchema)
|
|
301
|
+
.optional(),
|
|
302
|
+
})
|
|
303
|
+
.transform(d => ({
|
|
304
|
+
key_vault_uri: d.keyVaultUri,
|
|
305
|
+
key_name: d.keyName,
|
|
306
|
+
version: d.version,
|
|
307
|
+
tenant_id: d.tenantId,
|
|
308
|
+
disk_encryption_set_id: d.diskEncryptionSetId,
|
|
309
|
+
key_access_configuration: d.keyAccessConfiguration,
|
|
310
|
+
}));
|
|
311
|
+
|
|
312
|
+
export const marshalCreateCustomerManagedKeyRequestSchema: z.ZodType = z
|
|
313
|
+
.object({
|
|
314
|
+
accountId: z.string().optional(),
|
|
315
|
+
keyInfo: z
|
|
316
|
+
.discriminatedUnion('$case', [
|
|
317
|
+
z.object({
|
|
318
|
+
$case: z.literal('awsKeyInfo'),
|
|
319
|
+
awsKeyInfo: z.lazy(() => marshalCreateAwsKeyInfoSchema),
|
|
320
|
+
}),
|
|
321
|
+
z.object({
|
|
322
|
+
$case: z.literal('gcpKeyInfo'),
|
|
323
|
+
gcpKeyInfo: z.lazy(() => marshalCreateGcpKeyInfoSchema),
|
|
324
|
+
}),
|
|
325
|
+
z.object({
|
|
326
|
+
$case: z.literal('azureKeyInfo'),
|
|
327
|
+
azureKeyInfo: z.lazy(() => marshalCreateAzureKeyInfoSchema),
|
|
328
|
+
}),
|
|
329
|
+
])
|
|
330
|
+
.optional(),
|
|
331
|
+
useCases: z.array(z.enum(CmkUseCase)).optional(),
|
|
332
|
+
})
|
|
333
|
+
.transform(d => ({
|
|
334
|
+
account_id: d.accountId,
|
|
335
|
+
...(d.keyInfo?.$case === 'awsKeyInfo' && {
|
|
336
|
+
aws_key_info: d.keyInfo.awsKeyInfo,
|
|
337
|
+
}),
|
|
338
|
+
...(d.keyInfo?.$case === 'gcpKeyInfo' && {
|
|
339
|
+
gcp_key_info: d.keyInfo.gcpKeyInfo,
|
|
340
|
+
}),
|
|
341
|
+
...(d.keyInfo?.$case === 'azureKeyInfo' && {
|
|
342
|
+
azure_key_info: d.keyInfo.azureKeyInfo,
|
|
343
|
+
}),
|
|
344
|
+
use_cases: d.useCases,
|
|
345
|
+
}));
|
|
346
|
+
|
|
347
|
+
export const marshalCreateGcpKeyInfoSchema: z.ZodType = z
|
|
348
|
+
.object({
|
|
349
|
+
kmsKeyId: z.string().optional(),
|
|
350
|
+
gcpServiceAccount: z.lazy(() => marshalGcpServiceAccountSchema).optional(),
|
|
351
|
+
manual: z.boolean().optional(),
|
|
352
|
+
})
|
|
353
|
+
.transform(d => ({
|
|
354
|
+
kms_key_id: d.kmsKeyId,
|
|
355
|
+
gcp_service_account: d.gcpServiceAccount,
|
|
356
|
+
manual: d.manual,
|
|
357
|
+
}));
|
|
358
|
+
|
|
359
|
+
export const marshalGcpServiceAccountSchema: z.ZodType = z
|
|
360
|
+
.object({
|
|
361
|
+
serviceAccountEmail: z.string().optional(),
|
|
362
|
+
})
|
|
363
|
+
.transform(d => ({
|
|
364
|
+
service_account_email: d.serviceAccountEmail,
|
|
365
|
+
}));
|
|
366
|
+
|
|
367
|
+
export const marshalKeyAccessConfigurationSchema: z.ZodType = z
|
|
368
|
+
.object({
|
|
369
|
+
credentialId: z.string().optional(),
|
|
370
|
+
})
|
|
371
|
+
.transform(d => ({
|
|
372
|
+
credential_id: d.credentialId,
|
|
373
|
+
}));
|
|
@@ -0,0 +1,73 @@
|
|
|
1
|
+
// Code generated from API definition by Databricks SDK Generator. DO NOT EDIT.
|
|
2
|
+
|
|
3
|
+
import type {Credentials} from '@databricks/sdk-auth';
|
|
4
|
+
import {defaultCredentials} from '@databricks/sdk-auth/credentials';
|
|
5
|
+
import type {
|
|
6
|
+
HttpClient,
|
|
7
|
+
HttpRequest,
|
|
8
|
+
HttpResponse,
|
|
9
|
+
} from '@databricks/sdk-core/http';
|
|
10
|
+
import {newFetchHttpClient} from '@databricks/sdk-core/http';
|
|
11
|
+
import type {ClientOptions} from '@databricks/sdk-options/client';
|
|
12
|
+
|
|
13
|
+
/** Creates a new HTTP client with the given options. */
|
|
14
|
+
export function newHttpClient(options?: ClientOptions): HttpClient {
|
|
15
|
+
const opts = options ?? {};
|
|
16
|
+
|
|
17
|
+
// If an HTTP client is provided, use it as-is. Throw if other options are
|
|
18
|
+
// also set, since they would be silently ignored.
|
|
19
|
+
if (opts.httpClient !== undefined) {
|
|
20
|
+
if (opts.credentials !== undefined || opts.timeout !== undefined) {
|
|
21
|
+
throw new Error(
|
|
22
|
+
'httpClient cannot be combined with credentials or timeout'
|
|
23
|
+
);
|
|
24
|
+
}
|
|
25
|
+
return opts.httpClient;
|
|
26
|
+
}
|
|
27
|
+
|
|
28
|
+
const credentials = opts.credentials ?? defaultCredentials();
|
|
29
|
+
|
|
30
|
+
const base = newFetchHttpClient();
|
|
31
|
+
let client: HttpClient = new AuthHttpClient(base, credentials);
|
|
32
|
+
|
|
33
|
+
if (opts.timeout !== undefined) {
|
|
34
|
+
client = new TimeoutHttpClient(client, opts.timeout);
|
|
35
|
+
}
|
|
36
|
+
|
|
37
|
+
return client;
|
|
38
|
+
}
|
|
39
|
+
|
|
40
|
+
/** Wraps an HttpClient and adds authentication headers to requests. */
|
|
41
|
+
class AuthHttpClient implements HttpClient {
|
|
42
|
+
constructor(
|
|
43
|
+
private readonly base: HttpClient,
|
|
44
|
+
private readonly credentials: Credentials
|
|
45
|
+
) {}
|
|
46
|
+
|
|
47
|
+
async send(request: HttpRequest): Promise<HttpResponse> {
|
|
48
|
+
const authHeaders = await this.credentials.authHeaders();
|
|
49
|
+
// Do not modify the original request.
|
|
50
|
+
const headers = new Headers(request.headers);
|
|
51
|
+
for (const h of authHeaders) {
|
|
52
|
+
headers.set(h.key, h.value);
|
|
53
|
+
}
|
|
54
|
+
return this.base.send({...request, headers});
|
|
55
|
+
}
|
|
56
|
+
}
|
|
57
|
+
|
|
58
|
+
/** Wraps an HttpClient and applies a default timeout to requests. */
|
|
59
|
+
class TimeoutHttpClient implements HttpClient {
|
|
60
|
+
constructor(
|
|
61
|
+
private readonly base: HttpClient,
|
|
62
|
+
private readonly timeout: number
|
|
63
|
+
) {}
|
|
64
|
+
|
|
65
|
+
async send(request: HttpRequest): Promise<HttpResponse> {
|
|
66
|
+
const timeoutSignal = AbortSignal.timeout(this.timeout);
|
|
67
|
+
const signal =
|
|
68
|
+
request.signal !== undefined
|
|
69
|
+
? AbortSignal.any([request.signal, timeoutSignal])
|
|
70
|
+
: timeoutSignal;
|
|
71
|
+
return this.base.send({...request, signal});
|
|
72
|
+
}
|
|
73
|
+
}
|