Skip to main content

unitycatalog_common/models/_gen/
unitycatalog.credentials.v1.rs

1// @generated
2// This file is @generated by prost-build.
3/// The Azure service principal configuration.
4#[cfg_attr(feature = "python", ::pyo3::pyclass(get_all, set_all))]
5#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
6pub struct AzureServicePrincipal {
7    /// The directory ID corresponding to the Azure Active Directory (AAD) tenant of the application.
8    #[prost(string, tag="1")]
9    pub directory_id: ::prost::alloc::string::String,
10    /// The application ID of the application registration within the referenced AAD tenant.
11    #[prost(string, tag="2")]
12    pub application_id: ::prost::alloc::string::String,
13    #[prost(oneof="azure_service_principal::Credential", tags="3, 5")]
14    pub credential: ::core::option::Option<azure_service_principal::Credential>,
15}
16/// Nested message and enum types in `AzureServicePrincipal`.
17pub mod azure_service_principal {
18    #[cfg_attr(feature = "python", ::pyo3::pyclass)]
19    #[derive(Clone, PartialEq, Eq, Hash, ::prost::Oneof)]
20    pub enum Credential {
21        /// The client secret generated for the above app ID in AAD.
22        #[prost(string, tag="3")]
23        ClientSecret(::prost::alloc::string::String),
24        /// Location of the file containing a federated token.
25        ///
26        /// Specifically useful for workload identity federation.
27        #[prost(string, tag="5")]
28        FederatedTokenFile(::prost::alloc::string::String),
29    }
30}
31/// The Azure managed identity configuration.
32#[cfg_attr(feature = "python", ::pyo3::pyclass(get_all, set_all))]
33#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
34pub struct AzureManagedIdentity {
35    /// The Azure resource ID of the Azure Databricks Access Connector.
36    /// Use the format /subscriptions/{guid}/resourceGroups/{rg-name}/providers/
37    /// Microsoft.Databricks/accessConnectors/{connector-name}.
38    #[prost(string, tag="1")]
39    pub access_connector_id: ::prost::alloc::string::String,
40    /// The Databricks internal ID that represents this managed identity.
41    #[prost(string, optional, tag="2")]
42    pub credential_id: ::core::option::Option<::prost::alloc::string::String>,
43    /// The Azure resource ID of the managed identity.
44    /// Use the format /subscriptions/{guid}/resourceGroups/{rg-name}/providers/
45    /// Microsoft.ManagedIdentity/userAssignedIdentities/{identity-name}.
46    /// This is only available for user-assigned identities. For system-assigned
47    /// identities, the access_connector_id is used to identify the identity.
48    /// If this field is not provided, then the system-assigned identity of the
49    /// Access Connector is used.
50    #[prost(string, optional, tag="3")]
51    pub managed_identity_id: ::core::option::Option<::prost::alloc::string::String>,
52}
53/// The Azure storage key configuration.
54#[cfg_attr(feature = "python", ::pyo3::pyclass(get_all, set_all))]
55#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
56pub struct AzureStorageKey {
57    /// The name of the storage account.
58    #[prost(string, tag="1")]
59    pub account_name: ::prost::alloc::string::String,
60    /// The account key of the storage account.
61    #[prost(string, tag="2")]
62    pub account_key: ::prost::alloc::string::String,
63}
64/// The AWS IAM role configuration used server-side to call STS AssumeRole.
65///
66/// This is an internal configuration type, not exposed in the public API response.
67/// It stores the static credentials (or ambient credential fallback) used to
68/// authorize the STS:AssumeRole call when vending temporary credentials.
69#[cfg_attr(feature = "python", ::pyo3::pyclass(get_all, set_all))]
70#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
71pub struct AwsIamRoleConfig {
72    /// The Amazon Resource Name (ARN) of the AWS IAM role used to vend temporary credentials.
73    #[prost(string, tag="1")]
74    pub role_arn: ::prost::alloc::string::String,
75    /// The AWS region where STS calls are made. Defaults to "us-east-1" if absent.
76    #[prost(string, optional, tag="2")]
77    pub region: ::core::option::Option<::prost::alloc::string::String>,
78    /// AWS access key ID used to authorize the STS AssumeRole call.
79    ///
80    /// When set together with secret_access_key, these static credentials are used
81    /// as the base identity to call STS:AssumeRole. When omitted, the server falls
82    /// back to ambient credentials (instance profile, ECS task role, WebIdentity, etc.).
83    #[prost(string, optional, tag="3")]
84    pub access_key_id: ::core::option::Option<::prost::alloc::string::String>,
85    /// AWS secret access key paired with access_key_id.
86    #[prost(string, optional, tag="4")]
87    pub secret_access_key: ::core::option::Option<::prost::alloc::string::String>,
88    /// Optional AWS session token for temporary base credentials (e.g. when the
89    /// caller itself holds STS-vended credentials as the base identity).
90    #[prost(string, optional, tag="5")]
91    pub session_token: ::core::option::Option<::prost::alloc::string::String>,
92}
93/// The AWS IAM role configuration returned in credential responses.
94#[cfg_attr(feature = "python", ::pyo3::pyclass(get_all, set_all))]
95#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
96pub struct AwsIamRole {
97    /// The external ID used in role assumption to prevent the confused deputy problem.
98    #[prost(string, tag="1")]
99    pub external_id: ::prost::alloc::string::String,
100    /// The Amazon Resource Name (ARN) of the AWS IAM role used to vend temporary credentials.
101    #[prost(string, tag="2")]
102    pub role_arn: ::prost::alloc::string::String,
103    /// The Amazon Resource Name (ARN) of the AWS IAM user managed by Databricks.
104    /// This is the identity that is going to assume the AWS IAM role.
105    #[prost(string, tag="3")]
106    pub unity_catalog_iam_arn: ::prost::alloc::string::String,
107}
108/// The Databricks managed GCP service account configuration.
109#[cfg_attr(feature = "python", ::pyo3::pyclass(get_all, set_all))]
110#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
111pub struct DatabricksGcpServiceAccount {
112    /// The Databricks internal ID that represents this managed identity.
113    #[prost(string, optional, tag="1")]
114    pub credential_id: ::core::option::Option<::prost::alloc::string::String>,
115    /// The email of the service account.
116    #[prost(string, optional, tag="2")]
117    pub email: ::core::option::Option<::prost::alloc::string::String>,
118    /// The ID that represents the private key for this Service Account.
119    #[prost(string, optional, tag="3")]
120    pub private_key_id: ::core::option::Option<::prost::alloc::string::String>,
121}
122/// A credential used to access external data sources or services.
123#[cfg_attr(feature = "python", ::pyo3::pyclass(get_all, set_all))]
124#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
125pub struct Credential {
126    /// The credential name.
127    ///
128    /// The name must be unique among storage and service credentials within the metastore.
129    #[prost(string, tag="1")]
130    pub name: ::prost::alloc::string::String,
131    /// The unique identifier of the credential.
132    #[prost(string, optional, tag="2")]
133    pub id: ::core::option::Option<::prost::alloc::string::String>,
134    /// Indicates the purpose of the credential.
135    #[prost(enumeration="Purpose", tag="3")]
136    pub purpose: i32,
137    /// Whether the credential is usable only for read operations.
138    ///
139    /// Only applicable when purpose is STORAGE.
140    #[prost(bool, tag="4")]
141    pub read_only: bool,
142    /// Comment associated with the credential.
143    #[prost(string, optional, tag="5")]
144    pub comment: ::core::option::Option<::prost::alloc::string::String>,
145    /// Username of current owner of credential.
146    #[prost(string, optional, tag="6")]
147    pub owner: ::core::option::Option<::prost::alloc::string::String>,
148    /// Time at which this credential was created, in epoch milliseconds.
149    #[prost(int64, optional, tag="7")]
150    pub created_at: ::core::option::Option<i64>,
151    /// Username of credential creator.
152    #[prost(string, optional, tag="8")]
153    pub created_by: ::core::option::Option<::prost::alloc::string::String>,
154    /// Time at which this credential was last modified, in epoch milliseconds.
155    #[prost(int64, optional, tag="9")]
156    pub updated_at: ::core::option::Option<i64>,
157    /// Username of user who last modified the credential.
158    #[prost(string, optional, tag="10")]
159    pub updated_by: ::core::option::Option<::prost::alloc::string::String>,
160    /// Whether this credential is the current metastore's root storage credential.
161    ///
162    /// Only applicable when purpose is STORAGE.
163    #[prost(bool, tag="11")]
164    pub used_for_managed_storage: bool,
165    /// The full name of the credential.
166    #[prost(string, optional, tag="12")]
167    pub full_name: ::core::option::Option<::prost::alloc::string::String>,
168    /// The Azure service principal configuration.
169    ///
170    /// Sealed into the object's inline sensitive blob (envelope-encrypted, redacted
171    /// from ordinary reads) rather than stored in the searchable properties.
172    #[prost(message, optional, tag="100")]
173    pub azure_service_principal: ::core::option::Option<AzureServicePrincipal>,
174    /// The Azure managed identity configuration.
175    #[prost(message, optional, tag="101")]
176    pub azure_managed_identity: ::core::option::Option<AzureManagedIdentity>,
177    /// The Azure storage key configuration.
178    #[prost(message, optional, tag="102")]
179    pub azure_storage_key: ::core::option::Option<AzureStorageKey>,
180    /// The AWS IAM role configuration.
181    #[prost(message, optional, tag="103")]
182    pub aws_iam_role: ::core::option::Option<AwsIamRoleConfig>,
183    /// The Databricks managed GCP service account configuration.
184    #[prost(message, optional, tag="104")]
185    pub databricks_gcp_service_account: ::core::option::Option<DatabricksGcpServiceAccount>,
186}
187/// The purpose of a credential.
188#[cfg_attr(feature = "python", ::pyo3::pyclass)]
189#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)]
190#[repr(i32)]
191pub enum Purpose {
192    Unspecified = 0,
193    /// The credential is used to access external storage locations.
194    Storage = 1,
195    /// The credential is used to access external services.
196    Service = 2,
197}
198impl Purpose {
199    /// String value of the enum field names used in the ProtoBuf definition.
200    ///
201    /// The values are not transformed in any way and thus are considered stable
202    /// (if the ProtoBuf definition does not change) and safe for programmatic use.
203    pub fn as_str_name(&self) -> &'static str {
204        match self {
205            Self::Unspecified => "PURPOSE_UNSPECIFIED",
206            Self::Storage => "STORAGE",
207            Self::Service => "SERVICE",
208        }
209    }
210    /// Creates an enum from field names used in the ProtoBuf definition.
211    pub fn from_str_name(value: &str) -> ::core::option::Option<Self> {
212        match value {
213            "PURPOSE_UNSPECIFIED" => Some(Self::Unspecified),
214            "STORAGE" => Some(Self::Storage),
215            "SERVICE" => Some(Self::Service),
216            _ => None,
217        }
218    }
219}
220#[cfg_attr(feature = "python", ::pyo3::pyclass(get_all, set_all))]
221#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
222pub struct ListCredentialsRequest {
223    /// Return only credentials for the specified purpose.
224    #[prost(enumeration="Purpose", optional, tag="1")]
225    pub purpose: ::core::option::Option<i32>,
226    /// The maximum number of results per page that should be returned.
227    #[prost(int32, optional, tag="2")]
228    pub max_results: ::core::option::Option<i32>,
229    /// Opaque pagination token to go to next page based on previous query.
230    #[prost(string, optional, tag="3")]
231    pub page_token: ::core::option::Option<::prost::alloc::string::String>,
232}
233#[cfg_attr(feature = "python", ::pyo3::pyclass(get_all, set_all))]
234#[derive(Clone, PartialEq, ::prost::Message)]
235pub struct ListCredentialsResponse {
236    /// The credentials returned.
237    #[prost(message, repeated, tag="1")]
238    pub credentials: ::prost::alloc::vec::Vec<Credential>,
239    /// The next_page_token value to include in the next List request.
240    #[prost(string, optional, tag="2")]
241    pub next_page_token: ::core::option::Option<::prost::alloc::string::String>,
242}
243/// Create a new credential.
244#[cfg_attr(feature = "python", ::pyo3::pyclass(get_all, set_all))]
245#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
246pub struct CreateCredentialRequest {
247    /// The credential name. The name must be unique among storage and service credentials within the metastore.
248    #[prost(string, tag="1")]
249    pub name: ::prost::alloc::string::String,
250    /// Indicates the purpose of the credential.
251    #[prost(enumeration="Purpose", tag="2")]
252    pub purpose: i32,
253    /// Comment associated with the credential.
254    #[prost(string, optional, tag="3")]
255    pub comment: ::core::option::Option<::prost::alloc::string::String>,
256    /// Whether the credential is usable only for read operations. Only applicable when purpose is STORAGE.
257    #[prost(bool, optional, tag="4")]
258    pub read_only: ::core::option::Option<bool>,
259    /// Optional. Supplying true to this argument skips validation of the created set of credentials.
260    #[prost(bool, optional, tag="5")]
261    pub skip_validation: ::core::option::Option<bool>,
262    /// The Azure service principal configuration.
263    #[prost(message, optional, tag="100")]
264    pub azure_service_principal: ::core::option::Option<AzureServicePrincipal>,
265    /// The Azure managed identity configuration.
266    #[prost(message, optional, tag="101")]
267    pub azure_managed_identity: ::core::option::Option<AzureManagedIdentity>,
268    /// The Azure storage key configuration.
269    #[prost(message, optional, tag="102")]
270    pub azure_storage_key: ::core::option::Option<AzureStorageKey>,
271    /// The AWS IAM role configuration.
272    #[prost(message, optional, tag="103")]
273    pub aws_iam_role: ::core::option::Option<AwsIamRoleConfig>,
274    /// The Databricks managed GCP service account configuration.
275    #[prost(message, optional, tag="104")]
276    pub databricks_gcp_service_account: ::core::option::Option<DatabricksGcpServiceAccount>,
277}
278/// Get a credential.
279#[cfg_attr(feature = "python", ::pyo3::pyclass(get_all, set_all))]
280#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
281pub struct GetCredentialRequest {
282    /// Name of credential.
283    #[prost(string, tag="1")]
284    pub name: ::prost::alloc::string::String,
285}
286/// Update a credential.
287#[cfg_attr(feature = "python", ::pyo3::pyclass(get_all, set_all))]
288#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
289pub struct UpdateCredentialRequest {
290    /// Name of credential.
291    #[prost(string, tag="1")]
292    pub name: ::prost::alloc::string::String,
293    /// New name of the credential.
294    #[prost(string, optional, tag="2")]
295    pub new_name: ::core::option::Option<::prost::alloc::string::String>,
296    /// Comment associated with the credential.
297    #[prost(string, optional, tag="3")]
298    pub comment: ::core::option::Option<::prost::alloc::string::String>,
299    /// Whether the credential is usable only for read operations. Only applicable when purpose is STORAGE.
300    #[prost(bool, optional, tag="4")]
301    pub read_only: ::core::option::Option<bool>,
302    /// Username of current owner of credential.
303    #[prost(string, optional, tag="5")]
304    pub owner: ::core::option::Option<::prost::alloc::string::String>,
305    /// Supply true to this argument to skip validation of the updated credential.
306    #[prost(bool, optional, tag="6")]
307    pub skip_validation: ::core::option::Option<bool>,
308    /// Force an update even if there are dependent services (when purpose is SERVICE)
309    /// or dependent external locations and external tables (when purpose is STORAGE).
310    #[prost(bool, optional, tag="7")]
311    pub force: ::core::option::Option<bool>,
312    /// The Azure service principal configuration.
313    #[prost(message, optional, tag="100")]
314    pub azure_service_principal: ::core::option::Option<AzureServicePrincipal>,
315    /// The Azure managed identity configuration.
316    #[prost(message, optional, tag="101")]
317    pub azure_managed_identity: ::core::option::Option<AzureManagedIdentity>,
318    /// The Azure storage key configuration.
319    #[prost(message, optional, tag="102")]
320    pub azure_storage_key: ::core::option::Option<AzureStorageKey>,
321    /// The AWS IAM role configuration.
322    #[prost(message, optional, tag="103")]
323    pub aws_iam_role: ::core::option::Option<AwsIamRoleConfig>,
324    /// The Databricks managed GCP service account configuration.
325    #[prost(message, optional, tag="104")]
326    pub databricks_gcp_service_account: ::core::option::Option<DatabricksGcpServiceAccount>,
327}
328/// Delete a credential.
329#[cfg_attr(feature = "python", ::pyo3::pyclass(get_all, set_all))]
330#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
331pub struct DeleteCredentialRequest {
332    /// Name of credential.
333    #[prost(string, tag="1")]
334    pub name: ::prost::alloc::string::String,
335}
336include!("unitycatalog.credentials.v1.serde.rs");
337// @@protoc_insertion_point(module)