Document output attributes in databricks_storage_credential (#5093)

alexott · web-flow · commit 06a7422ba2da · 2025-10-15T07:46:58.000Z
## Changes
&lt;!-- Summary of your changes that are easy to understand --&gt;

For unknown reason, the `aws_iam_role.external_id` wasn't documented
although was used in the examples. Fixing that problem

## Tests
&lt;!--
How is this tested? Please see the checklist below and also describe any
other relevant tests
--&gt;

- [x] `make test` run locally
- [x] relevant change in `docs/` folder
- [x] has entry in `NEXT_CHANGELOG.md` file
diff --git a/NEXT_CHANGELOG.md b/NEXT_CHANGELOG.md
@@ -5,7 +5,7 @@
 ### Breaking Changes
 
 * Remove stale resources/datasources/documentation related to Clean Room services.
-  
+
 ### New Features and Improvements
 
 * Add `arm` option to `databricks_node_type` instead of `graviton` ([#5028](https://github.com/databricks/terraform-provider-databricks/pull/5028))
@@ -18,6 +18,7 @@
 ### Documentation
 
 * Add instructions for migration from deprecated `databricks_catalog_workspace_binding` to `databricks_workspace_binding` ([#5054](https://github.com/databricks/terraform-provider-databricks/pull/5054))
+* Document output attributes in `databricks_storage_credential` ([#5093](https://github.com/databricks/terraform-provider-databricks/pull/5093))
 
 ### Exporter
 
diff --git a/docs/resources/storage_credential.md b/docs/resources/storage_credential.md
@@ -86,7 +86,7 @@ The following arguments are required:
 
 `aws_iam_role` optional configuration block for credential details for AWS:
 
-- `role_arn` - The Amazon Resource Name (ARN) of the AWS IAM role for S3 data access, of the form `arn:aws:iam::1234567890:role/MyRole-AJJHDSKSDF`
+- `role_arn` - The Amazon Resource Name (ARN) of the AWS IAM role for S3 data access, of the form `arn:aws:iam::1234567890:role/MyRole-AJJHDSKSDF`.
 
 `azure_managed_identity` optional configuration block for using managed identity as credential details for Azure (recommended over service principal):
 
@@ -116,6 +116,10 @@ In addition to all arguments above, the following attributes are exported:
 
 - `id` - ID of this storage credential - same as the `name`.
 - `storage_credential_id` - Unique ID of storage credential.
+- `aws_iam_role` exposes two additional attributes:
+
+  - `external_id` - The external ID used in role assumption to prevent the confused deputy problem.
+  - `unity_catalog_iam_arn` - The Amazon Resource Name (ARN) of the AWS IAM user managed by Databricks. This is the identity that is going to assume the AWS IAM role.
 
 ## Import
 
@@ -144,5 +148,5 @@ Alternatively, when using `terraform` version 1.4 or earlier, import using the `
 terraform import databricks_storage_credential.this <storage_credential_name>
 
 # When using an account-level provider
-terraform import databricks_storage_credential.this <metastore_id>|<storage_credential_name>
+terraform import databricks_storage_credential.this '<metastore_id>|<storage_credential_name>'
 ```
