Iām trying to create an account-level group in Databricks using Terraform. When creating a group via the UI, it automatically becomes an account-level group that can be reused across workspaces. However, Iām struggling to achieve the same using Terraform without account admin privileges.
Current Terraform Configuration:
provider "databricks" {
alias = "mws"
host = "https://accounts.azuredatabricks.net"
account_id = "<account-id>"
}
resource "databricks_group" "ws_admins" {
provider = databricks.mws
display_name = "ws_dev_project_admins"
}
Issue:
When executing this script without account admin rights, I get the following error:
ā Error: cannot read group: failed during request visitor: default auth: azure-cli: cannot get access token: WARNING: Could not retrieve credential from local cache for service principal *** under tenant common. Trying credential under tenant xyz, assuming that is an app credential.
ā ERROR: AADSTS50059: No tenant-identifying information found in either the request or implied by any provided credentials. Trace ID: abc Correlation ID: def Timestamp: 2025-03-05 14:40:57Z
ā Interactive authentication is needed. Please run:
ā az login
ā . Config: host=https://accounts.azuredatabricks.net, account_id=uvw, azure_tenant_id=common
ā
ā with databricks_group.ws_admins,
ā on databricks_groups.tf line 9, in resource "databricks_group" "ws_admins":
ā 9: resource "databricks_group" "ws_admins" {
The group is only created successfully if the service account has account admin privileges, which I want to avoid.
What Iāve Tried:
- Using the workspace provider instead of databricks.mws ā This only creates workspace-level groups, not account-level ones.
- Creating the group via the UI ā This works as expected, automatically creating an account-level group.
Since it works via the UI, there must be a way to do this through the API. Does anyone know how to achieve this without requiring account admin privileges? Any guidance would be greatly appreciated.
