Databricks Community

borft · ‎03-19-2025

Hi,

I'm trying to update the GCP permissions for Databricks as described here: https://docs.databricks.com/gcp/en/admin/cloud-configurations/gcp/gce-update

To be able to do that, I have to log in to the account console here: https://accounts.gcp.databricks.com/

However, I can't seem to be able to do so. I use pay-as-you-go Databricks, purchased through Google's Marketplace on GCP. This was deployed by my predecessor, and I do not know how to login. Whichever account I try doesn't work (for Databricks itself we use SSO). I simply end up in Databricks with my normal account (which doesn't have the required permissions)

Does anybody have a tip, of how to determine what account I need to log in to obtain the appropriate permissions?

Louis_Frolio · 2 weeks ago

Greetings @borft , It sounds like you’re being redirected into a workspace without the right privileges; let’s get you into the correct Databricks account console for your GCP Marketplace subscription and identify the right login.

What login is required (and why)

You must be a Databricks account admin to update the new GCE compute permissions; this can be done in the account console with “Update permissions” or via the Accounts API if your org uses a provisioning service account.
For GCP Marketplace (PAYG), the person who completed “Register with Databricks / Manage on Provider” during subscription became the initial Databricks account owner for that billing account; they log into the account console at https://accounts.gcp.databricks.com using their Google identity.

How to identify the right Google account to log in

Here are practical ways to locate the procurement identity and reach the correct account console:

Identify the Google Cloud billing account tied to your Databricks workspace’s project, then check Cloud Marketplace “Your orders” for Databricks under that billing account. Workspaces are provisioned into a customer GCP project you specify at workspace creation, so the project’s Billing page will show the billing account to inspect in Marketplace.
In Google Cloud Console > Cloud Marketplace > Your orders (for the correct billing account), ensure the Databricks order is Active, then click the blue Manage on Provider button; this opens the Databricks account console for that subscription and is the most reliable entry point.
If you’re being bounced into a workspace by SSO, use an incognito window and go directly to the account console: https://accounts.gcp.databricks.com/. If you know the Databricks Account ID, you can force the account login with a hint: https://accounts.gcp.databricks.com/login?account_id=<account-id>.
If none of your current billing admins can access the account console for that subscription (common when a predecessor subscribed), ask the original marketplace procurement/billing admin to add you as an account admin in the Databricks account console. If you truly have no one with console access, contact supportops@databricks.com with your Google order number and billing account details and your Databricks account team; they can help locate and restore access.
Tip: if you do have account console access, you can match the subscription to its Google order number in Settings > Subscription & Billing, then cross-check it in the Marketplace listing to confirm the exact billing account owning the subscription.

Once you’re in the account console, update the GCE permissions

You have two supported paths (choose one):

Use the UI: In the account console, click Update permissions, confirm you have sufficient GCP privileges on the workspace projects, and proceed. This is for account owners who themselves have permissions on those projects.
Use the Accounts API if your org manages provisioning via a service account. Authenticate with:
- X-Databricks-GCP-SA-Access-Token (Google OAuth 2.0 access token for a SA that can impersonate the Databricks-managed GCP SA)
- Authorization: Bearer (Databricks account-level access token with sufficient privileges)
Then call: bash curl --location --request PATCH "https://accounts.gcp.databricks.com/api/2.0/accounts/<account-id>/migrateToComputeOnGce" \ --header "X-Databricks-GCP-SA-Access-Token: $ACCESS_TOKEN" \ --header "Authorization: Bearer $AUTH_TOKEN"

Edge cases you may need to handle

If you use a customer-managed VPC, the update attempts to add a firewall rule automatically; if it fails, add this rule manually (permits only intra‑VPC Databricks traffic): Rule name: databricks-{WORKSPACE_ID}-ingress; Direction: Ingress; Priority: 1000; Targets: Network tag databricks-{WORKSPACE_ID}; Source: primary CIDR of subnet; Protocols/ports: Allow all.
If you enforce GCP org policies for trusted images, add projects/databricks-external-images to your trusted image policy (constraints/compute.trustedImageProjects) so compute can launch.
To test GCE migration after updating, tag a new compute resource with key x-databricks-nextgen-cluster, value true; it should display a GCE label once running.

Why you were landing in a workspace

The account console (accounts.gcp.databricks.com) is distinct from a workspace UI; Marketplace flows route you to the account console via Register/Manage on Provider, but it’s common for users to inadvertently sign into a workspace where they lack account-admin privileges.

Hope this helps, Louis.