How to setup service principal to assing account-level groups to workspaces using terraform

DavidZS — Wed, 03 Apr 2024 11:11:27 GMT

Based on best practices, we have set up SCIM provisioning using Microsoft Entra ID to synchronize Entra ID groups to our Databricks account. All workspaces have identity federation enabled.

However, how should workspace administrators assign account-level groups to their workspaces via terraform once they have been synchronized to the Databricks account? The Databricks provider documentation for the "databricks_permission_assignment" resource provides an example that uses a dedicated provider on account level. When attempting to read the group on account-level using a service principal with workspace adminstrator rights only returns an error (status 401). Based on some (more or less cryptic) descriptions, any account-level API can only be accessed by credentials with "Account Admin" rights (example reference).

For obvious reasons, service principals used to manage terraform state of a specific workspace should not be granted "Account Admin" rights. How can the service principal set up in a way that allows fetching the group id without granting "Account Admin" rights? Are there additional workspace-level APIs that I'm not aware of that can be used instead?

Re: How to setup service principal to assing account-level groups to workspaces using terraform

Walter_C — Fri, 05 Apr 2024 00:50:45 GMT

Have you tried giving Manager role on the group to the service principal which is workspace admin? Once you do this you may be able to use the settings to In workspace context, adding account-level group to a workspace in databricks_permission_assignment

topic How to setup service principal to assing account-level groups to workspaces using terraform in Administration & Architecture

How to setup service principal to assing account-level groups to workspaces using terraform

Re: How to setup service principal to assing account-level groups to workspaces using terraform