https://community.databricks.com/t5/data-governance/terraform-grant-account-level-group-access-to-instance-profile/m-p/5264#M93 <P>@Mark Miller​&nbsp;:</P><P></P><P>The error you are facing suggests that the group you are trying to manage can only be managed at the account level, which means you cannot manage it at the workspace level. This error typically occurs when you attempt to assign a group to an instance profile or role that is outside the scope of the workspace.</P><P>To resolve this issue, you can try the following:</P><OL><LI>Ensure that the group you are trying to manage is at the account level, and not at the workspace level.</LI><LI>Update the provider version to the latest version to ensure you have access to any new fixes or updates that may address this issue.</LI><LI>Try using the databricks_group resource instead of the databricks_group_instance_profile or databricks_group_role resources. This resource allows you to create and manage groups at the account level, and it can be used to grant access to instance profiles and roles.</LI></OL><P>Here's an example of how you could create a group and grant it access to an instance profile:</P><PRE><CODE>resource "databricks_instance_profile" "example" { name = "example-instance-profile" } &nbsp; resource "databricks_group" "example" { display_name = "example-group" provider = databricks.accounts } &nbsp; resource "databricks_group_instance_profile" "example" { group_id = databricks_group.example.id instance_profile_arn = databricks_instance_profile.example.arn }</CODE></PRE><P></P><P>This creates a new instance profile and group at the account level, and then grants the group access to the instance profile.</P><P></P> Thu, 27 Apr 2023 04:55:56 GMT Anonymous 2023-04-27T04:55:56Z https://community.databricks.com/t5/data-governance/terraform-grant-account-level-group-access-to-instance-profile/m-p/5263#M92 <P>We have setup SCIM with Okta at the account-level and setup Unity Catalog and are in the process of migrating groups from workspace-local to account-level. I have an instance profile that was assigned to a workspace-local group. using `databricks_group_instance_profile`. I'm trying to grant the account-level group access to the instance profile (the profile grants access to resources other than S3) and both `databricks_group_instance_profile` and `databricks_group_role` return the following error:</P><PRE><CODE>cannot create group instance profile: invalidSyntax Groups attribute cannot be updated as group [name] can only be managed in account.</CODE></PRE><P>Or </P><PRE><CODE>cannot create group role: invalidSyntax Groups attribute cannot be updated as group [name] can only be managed in account.</CODE></PRE><P>If I set the provider to point to <A href="https://accounts.cloud.databricks.com" alt="https://accounts.cloud.databricks.com" target="_blank">accounts.cloud.databricks.com</A> then I get:</P><PRE><CODE>cannot create group role: invalidValue Invalid role value [arn]</CODE></PRE><P>Or </P><PRE><CODE>cannot create group instance profile: invalidValue Invalid role value [arn]</CODE></PRE><P>Finally, on a lark I tried to create the `databricks_instance_profile` using the <A href="https://accounts.cloud.databricks.com" alt="https://accounts.cloud.databricks.com" target="_blank">accounts.cloud.databricks.com</A> host and that didn't work either (as expected): </P><PRE><CODE>cannot create instance profile: HTTP method POST is not supported by this URL</CODE></PRE><P>Using `databricks_group_instance_profile` using the workspace host will actually set the permission successfully even though it throws an error. However, because of the error the resource is never added to Terraform state and `terraform apply` fails anyway so it wouldn't matter anyhow. </P><P></P><P></P><P>Granting permission to the group on the instance profile works fine manually if I use the workspace UI, but that is only a temporary fix since we manage our entire workspace in terraform. How am I supposed to get this to work?</P><P></P><P></P><P><B>Terraform</B>: v1.4.2</P><P></P><P><B>Databricks provider(s)</B>: v1.13.0, v1.14.3</P> Tue, 25 Apr 2023 20:13:05 GMT https://community.databricks.com/t5/data-governance/terraform-grant-account-level-group-access-to-instance-profile/m-p/5263#M92 dvmentalmadess 2023-04-25T20:13:05Z https://community.databricks.com/t5/data-governance/terraform-grant-account-level-group-access-to-instance-profile/m-p/5264#M93 <P>@Mark Miller​&nbsp;:</P><P></P><P>The error you are facing suggests that the group you are trying to manage can only be managed at the account level, which means you cannot manage it at the workspace level. This error typically occurs when you attempt to assign a group to an instance profile or role that is outside the scope of the workspace.</P><P>To resolve this issue, you can try the following:</P><OL><LI>Ensure that the group you are trying to manage is at the account level, and not at the workspace level.</LI><LI>Update the provider version to the latest version to ensure you have access to any new fixes or updates that may address this issue.</LI><LI>Try using the databricks_group resource instead of the databricks_group_instance_profile or databricks_group_role resources. This resource allows you to create and manage groups at the account level, and it can be used to grant access to instance profiles and roles.</LI></OL><P>Here's an example of how you could create a group and grant it access to an instance profile:</P><PRE><CODE>resource "databricks_instance_profile" "example" { name = "example-instance-profile" } &nbsp; resource "databricks_group" "example" { display_name = "example-group" provider = databricks.accounts } &nbsp; resource "databricks_group_instance_profile" "example" { group_id = databricks_group.example.id instance_profile_arn = databricks_instance_profile.example.arn }</CODE></PRE><P></P><P>This creates a new instance profile and group at the account level, and then grants the group access to the instance profile.</P><P></P> Thu, 27 Apr 2023 04:55:56 GMT https://community.databricks.com/t5/data-governance/terraform-grant-account-level-group-access-to-instance-profile/m-p/5264#M93 Anonymous 2023-04-27T04:55:56Z https://community.databricks.com/t5/data-governance/terraform-grant-account-level-group-access-to-instance-profile/m-p/5265#M94 <P>Hi @Mark Miller​&nbsp;</P><P></P><P>Hope all is well! Just wanted to check in if you were able to resolve your issue and would you be happy to share the solution or mark an answer as best? Else please let us know if you need more help.&nbsp;</P><P></P><P>We'd love to hear from you.</P><P></P><P>Thanks!</P><P></P> Tue, 02 May 2023 06:47:19 GMT https://community.databricks.com/t5/data-governance/terraform-grant-account-level-group-access-to-instance-profile/m-p/5265#M94 Anonymous 2023-05-02T06:47:19Z https://community.databricks.com/t5/data-governance/terraform-grant-account-level-group-access-to-instance-profile/m-p/5266#M95 <OL><LI>All of our groups are account-level groups (see opening paragraph)</LI><LI>Provider version was latest at the time of writing</LI><LI>I don't understand what this is trying to say. You can't use databricks_group in place of databricks_group_instance_profile or databricks_group_role. They can only be used together as shown in your example. This is exactly the first thing I tried and I get the first error I listed in my post.</LI></OL> Tue, 09 May 2023 23:12:17 GMT https://community.databricks.com/t5/data-governance/terraform-grant-account-level-group-access-to-instance-profile/m-p/5266#M95 dvmentalmadess 2023-05-09T23:12:17Z https://community.databricks.com/t5/data-governance/terraform-grant-account-level-group-access-to-instance-profile/m-p/38054#M1106 <P>Retried this using `databricks_group_role` after the `1.210` release of the `databricks/databricks` provider. This worked with an account-level group using the workspace provider and credentials.</P> Thu, 20 Jul 2023 18:36:30 GMT https://community.databricks.com/t5/data-governance/terraform-grant-account-level-group-access-to-instance-profile/m-p/38054#M1106 dvmentalmadess 2023-07-20T18:36:30Z