Databricks Community

IoanT · ‎07-11-2025

Starting from 10/07/2025 my validation bundle step from databricks bundle deploy fail with the folowing message:

2025-07-11T07:07:18.5175554Z Recommendation: permissions section should explicitly include the current deployment identity '***' or one of its groups

2025-07-11T07:07:18.5177274Z If it is not included, CAN_MANAGE permissions are only applied if the present identity is used to deploy.

2025-07-11T07:07:19.6481035Z ##[error]Recommendation: permissions section should explicitly include the current deployment identity '***' or one of its groups

If it is not included, CAN_MANAGE permissions are only applied if the present identity is used to deploy.

Consider using a adding a top-level permissions section such as the following:

permissions:

- service_principal_name: ***

level: CAN_MANAGE

I try to add to do what they recomended but not work, any Idea? Thanks

mark_ott · Tuesday

The error message in your Databricks bundle deploy validation step:

text

Recommendation: permissions section should explicitly include the current deployment identity '***' or one of its groups
If it is not included, CAN_MANAGE permissions are only applied if the present identity is used to deploy.

means that in your bundle configuration YAML, the permissions section does not explicitly specify the user or service principal (deployment identity) that your deployment is running under. Databricks requires that this identity be explicitly granted the appropriate permissions (e.g., CAN_MANAGE) at a top-level permissions section or within the specific resources.

Common causes and resolutions:

Permissions must be defined at the top-level permissions section, not just per resource.
The identity to add is the exact principal doing the deployment, usually a service principal or user identity.
You cannot mix permissions for the same identity both in the top-level and resource-level permissions.
Make sure the syntax and indentation are correct in the YAML file.

Example permissions section that should work:

text

permissions:
  - service_principal_name: "your-service-principal-name-or-identifier"
    level: CAN_MANAGE

or if deploying as a user:

text

permissions:
  - user_name: "user@example.com"
    level: CAN_MANAGE

Important notes:

Ensure the service principal or user specified exactly matches the identity used to run the deployment (case sensitive).
If your deployment uses a group, add that group under group_name.
If specifying this did not work, double-check the identity running the deployment and make sure it matches what you put under permissions.
Sometimes, re-deploying with this config may require removing old permissions or redeploying the bundle fully to reset permissions.

Reference from Databricks documentation and community:

The top-level permissions applies permissions globally to the entire bundle and all resources.
Permissions should explicitly include the deployment identity or one of its groups to ensure CAN_MANAGE rights are granted properly.
Permissions inside the resources section cannot duplicate those in the top-level permissions.

If after applying the recommended top-level permissions section you still face issues, verify:

The exact deployment identity via Databricks CLI or Azure portal.
The bundle's full permissions config to ensure no conflicting or overlapping permission definitions.
The bundle deploy command is run with the correct profile matching the identity in the permissions.