Unable to create databricks group and add permission via terraform

soumiknow — Wed, 02 Jul 2025 08:19:59 GMT

I have the following terraform code to create a databricks group and add permission to a workflow:

resource "databricks_group" "dbx_group" { display_name = "ENV_MONITORING_TEAM" } resource "databricks_permissions" "workflow_permission" { job_id = databricks_job.workflow.id access_control { group_name = databricks_group.dbx_group.display_name permission_level = "CAN_MANAGE_RUN" } }

I have the following databricks terraform provider:

provider "databricks" { alias = "workspace" host = local.dbx_host google_service_account = local.gcp_sa }

Now, when I execute 'terraform plan', it returned error:

Error: cannot create group: failed during request visitor: default auth: cannot configure default credentials, please check https://docs.databricks.com/en/dev-tools/auth.html#databricks-client-unified-authentication to configure credentials for your preferred authentication method

If I use the 'host' & the generated 'token' values in '.databrickscfg' file, then 'terraform plan' and 'terraform apply' worked, but I have to use the 'google_service_account' directly to execute the group creation code.

Please suggest what needs to be done here in the existing provider so that the group and permission can be created via terraform.

Re: Unable to create databricks group and add permission via terraform

Louis_Frolio — Mon, 20 Oct 2025 18:44:44 GMT

Greetings @soumiknow , I did some digging internally and found something that may help:

Based on the information gathered, I can now draft a comprehensive response to this Databricks Community question about the Terraform authentication issue.

## Draft Response for Databricks Community

The authentication error you're encountering occurs because the Databricks Terraform provider needs proper Application Default Credentials (ADC) configured when using the `google_service_account` parameter. The issue is that while you've specified the service account in your provider configuration, Terraform cannot automatically generate the necessary authentication tokens without additional setup.

Solution

To resolve this issue, you need to set up Google Cloud ID authentication with impersonation. Here's what needs to be configured:

Step 1: Ensure Service Account Permissions

The Google Cloud service account specified in `local.gcp_sa` must be added as a user in your Databricks workspace with appropriate permissions to create groups and manage permissions.

Step 2: Configure Authentication via Google Cloud CLI

Before running Terraform, you need to authenticate using the Google Cloud CLI with impersonation. Run this command in your terminal:

```bash
gcloud auth login --impersonate-service-account=YOUR_SERVICE_ACCOUNT_EMAIL
```

Replace `YOUR_SERVICE_ACCOUNT_EMAIL` with the email address of your service account (e.g., `service-account@project.iam.gserviceaccount.com`) .

Step 3: Set Application Default Credentials

After authentication, set up Application Default Credentials that Terraform can use:

```bash
gcloud auth application-default login
```

This ensures that the Terraform provider can access the credentials needed to authenticate on behalf of the service account.

Step 4: Verify IAM Permissions

Your Google Cloud user account needs the following IAM roles to impersonate the service account:

- Service Account Token Creator
- Service Account User

Alternative Approach: Use Environment Variables

If you prefer not to use impersonation, you can set environment variables that the Databricks provider will automatically detect [4]:

```bash
export DATABRICKS_HOST="your-workspace-url"
export DATABRICKS_GOOGLE_SERVICE_ACCOUNT="service-account@project.iam.gserviceaccount.com"
```

Then simplify your provider configuration:

```hcl
provider "databricks" {
alias = "workspace"
}
```

The provider will automatically pick up these environment variables.

Why Token-Based Authentication Works

When you manually specify `host` and `token` in `.databrickscfg`, you're using Personal Access Token (PAT) authentication, which doesn't require the complex OAuth flow that Google Cloud ID authentication uses. However, using service accounts is more secure for automation scenarios and doesn't require managing PAT expiration.

Additional Verification

After configuring authentication, test it with the Databricks CLI before running Terraform:

```bash
databricks groups list
```

If this command succeeds, your Terraform configuration should work as well.

Regards, Louis

topic Unable to create databricks group and add permission via terraform in Data Engineering

Unable to create databricks group and add permission via terraform

Re: Unable to create databricks group and add permission via terraform