databricks · iammuntazirali · Jan 30, 2026
@@ -0,0 +1,11 @@
+bundle:
+  name: "run_as"
+
+run_as:
+  service_principal_name: "my_service_principal"
+
+resources:
+  dashboards:
+    my_dashboard:
+      display_name: "Dashboard with embed"
+      embed_credentials: true
@@ -0,0 +1,12 @@
+Error: dashboards with embed_credentials set to true do not support a run_as identity that is different from the owner.
+Current identity: [USERNAME]. Run as identity: my_service_principal.
+See https://docs.databricks.com/dev-tools/bundles/run-as.html to learn more about the run_as property.
+  in databricks.yml:9:5
+
+Name: run_as
+Target: default
+Workspace:
+  User: [USERNAME]
+  Path: /Workspace/Users/[USERNAME]/.bundle/run_as/default
+
+Found 1 error
@@ -0,0 +1 @@
+musterr $CLI bundle validate
@@ -0,0 +1,11 @@
+bundle:
+  name: "run_as"
+
+run_as:
+  service_principal_name: "my_service_principal"
+
+resources:
+  dashboards:
+    my_dashboard:
+      display_name: "Dashboard without embed"
+      embed_credentials: false
@@ -0,0 +1,7 @@
+Name: run_as
+Target: default
+Workspace:
+  User: [USERNAME]
+  Path: /Workspace/Users/[USERNAME]/.bundle/run_as/default
+
+Validation OK!
@@ -0,0 +1 @@
+$CLI bundle validate
@@ -101,14 +101,21 @@ func validateRunAs(b *bundle.Bundle) diag.Diagnostics {
 		))
 	}
 
-	// Dashboards do not support run_as in the API.
-	if len(b.Config.Resources.Dashboards) > 0 {
-		diags = diags.Extend(reportRunAsNotSupported(
-			"dashboards",
-			b.Config.GetLocation("resources.dashboards"),
-			b.Config.Workspace.CurrentUser.UserName,
-			identity,
-		))
+	// Dashboards with embed_credentials set to true do not support run_as in the API.
+	// When embed_credentials is false (the default), the dashboard does not embed
+	// the owner's credentials, so run_as is irrelevant and we allow it.
+	for key, dashboard := range b.Config.Resources.Dashboards {
+		if dashboard.EmbedCredentials {
+			diags = diags.Extend(diag.Diagnostics{{
+				Summary: fmt.Sprintf("dashboards with embed_credentials set to true do not support a run_as identity "+
+					"that is different from the owner.\n"+
+					"Current identity: %s. Run as identity: %s.\n"+
+					"See https://docs.databricks.com/dev-tools/bundles/run-as.html to learn more about the run_as property.",
+					b.Config.Workspace.CurrentUser.UserName, identity),
+				Locations: []dyn.Location{b.Config.GetLocation(fmt.Sprintf("resources.dashboards.%s", key))},
+				Severity:  diag.Error,
+			}})
+		}
 	}
 
 	// Apps do not support run_as in the API.

@@ -159,6 +159,7 @@ func TestRunAsWorksForAllowedResources(t *testing.T) {
 var allowList = []string{
 	"alerts",
 	"clusters",
+	"dashboards",
 	"database_catalogs",
 	"database_instances",
 	"synced_database_tables",
@@ -277,3 +278,69 @@ func TestRunAsNoErrorForSupportedResources(t *testing.T) {
 		require.NoError(t, diags.Error())
 	}
 }
+
+func TestRunAsErrorForDashboardsWithEmbedCredentials(t *testing.T) {
+	config := config.Root{
+		Workspace: config.Workspace{
+			CurrentUser: &config.User{
+				User: &iam.User{
+					UserName: "alice",
+				},
+			},
+		},
+		RunAs: &jobs.JobRunAs{
+			UserName: "bob",
+		},
+		Resources: config.Resources{
+			Dashboards: map[string]*resources.Dashboard{
+				"dash_with_embed": {
+					DashboardConfig: resources.DashboardConfig{
+						DisplayName:      "Dashboard with embed",
+						EmbedCredentials: true,
+					},
+				},
+			},
+		},
+	}
+
+	b := &bundle.Bundle{
+		Config: config,
+	}
+
+	diags := bundle.Apply(context.Background(), b, SetRunAs())
+	require.Error(t, diags.Error())
+	assert.Contains(t, diags.Error().Error(), "dashboards with embed_credentials set to true do not support a run_as identity")
+	assert.Contains(t, diags.Error().Error(), "Current identity: alice. Run as identity: bob.")
+}
+
+func TestRunAsAllowsDashboardsWithoutEmbedCredentials(t *testing.T) {
+	config := config.Root{
+		Workspace: config.Workspace{
+			CurrentUser: &config.User{
+				User: &iam.User{
+					UserName: "alice",
+				},
+			},
+		},
+		RunAs: &jobs.JobRunAs{
+			UserName: "bob",
+		},
+		Resources: config.Resources{
+			Dashboards: map[string]*resources.Dashboard{
+				"dash_without_embed": {
+					DashboardConfig: resources.DashboardConfig{
+						DisplayName:      "Dashboard without embed",
+						EmbedCredentials: false,
+					},
+				},
+			},
+		},
+	}
+
+	b := &bundle.Bundle{
+		Config: config,
+	}
+
+	diags := bundle.Apply(context.Background(), b, SetRunAs())
+	require.NoError(t, diags.Error())
+}