databrickslabs · pritishpai · Aug 7, 2025 · Aug 7, 2025 · Aug 7, 2025 · Aug 7, 2025
@@ -240,6 +240,11 @@ def application_id(self) -> str:
         assert self._service_principal.application_id is not None
         return self._service_principal.application_id
 
+    @property
+    def id(self) -> str:
+        assert self._service_principal.id is not None
+        return self._service_principal.id
+
     def __repr__(self):
         return f'RunAs({self.display_name})'
 
@@ -339,8 +344,7 @@ def create(*, account_groups: list[str] | None = None):
         workspace_id = ws.get_workspace_id()
         service_principal = acc.service_principals.create(display_name=f'spn-{make_random()}')
         assert service_principal.id is not None
-        service_principal_id = int(service_principal.id)
-        created_secret = acc.service_principal_secrets.create(service_principal_id)
+        created_secret = acc.service_principal_secrets.create(service_principal.id)
         if account_groups:
             group_mapping = {}
             for group in acc.groups.list(attributes='id,displayName'):
@@ -354,15 +358,15 @@ def create(*, account_groups: list[str] | None = None):
                 acc.groups.patch(
                     group_id,
                     operations=[
-                        Patch(PatchOp.ADD, 'members', [ComplexValue(value=str(service_principal_id)).as_dict()]),
+                        Patch(PatchOp.ADD, 'members', [ComplexValue(value=str(service_principal.id)).as_dict()]),
                     ],
                     schemas=[PatchSchema.URN_IETF_PARAMS_SCIM_API_MESSAGES_2_0_PATCH_OP],
                 )
         permissions = [WorkspacePermission.USER]
-        acc.workspace_assignment.update(workspace_id, service_principal_id, permissions=permissions)
+        acc.workspace_assignment.update(workspace_id, int(service_principal.id), permissions=permissions)
         ws_as_spn = _make_workspace_client(ws, created_secret, service_principal)
 
-        log_account_link('account service principal', f'users/serviceprincipals/{service_principal_id}')
+        log_account_link('account service principal', f'users/serviceprincipals/{service_principal.id}')
 
         return RunAs(service_principal, ws_as_spn, env_or_skip)
 

@@ -7,9 +7,10 @@ def test_new_user(make_user, ws):
     assert home_dir.object_type == ObjectType.DIRECTORY
 
 
-def test_new_group(make_group, make_user, ws):
+def test_new_group(make_group, make_user, make_run_as, ws):
     user = make_user()
-    group = make_group(members=[user.id])
+    service_principal = make_run_as()
+    group = make_group(members=[user.id, service_principal.id])
     loaded = ws.groups.get(group.id)
     assert group.display_name == loaded.display_name
     assert group.members == loaded.members

@@ -5,7 +5,7 @@
 
 import pytest
 
-from databricks.labs.pytester.fixtures.iam import make_acc_group, make_group, make_user, Group
+from databricks.labs.pytester.fixtures.iam import make_acc_group, make_group, make_user, make_run_as, Group
 from databricks.labs.pytester.fixtures.unwrap import call_stateful, CallContext
 
 
@@ -17,6 +17,14 @@ def test_make_user_no_args() -> None:
     ctx['ws'].users.delete.assert_called_once()
 
 
+def test_make_run_as_no_args() -> None:
+    ctx, run_as = call_stateful(make_run_as)
+    assert ctx is not None
+    assert run_as is not None
+    ctx['acc'].service_principals.create.assert_called_once()
+    ctx['acc'].service_principals.delete.assert_called_once()
+
+
 def _setup_groups_api(call_context: CallContext, *, client_fixture_name: str) -> CallContext:
     """Minimum mocking of the specific client so that when a group is created it is also visible via the list() method.
     This is required because the make_group and make_acc_group fixtures double-check after creating a group to ensure