Based on best practices, we have set up SCIM provisioning using Microsoft Entra ID to synchronize Entra ID groups to our Databricks account. All workspaces have identity federation enabled.
However, how should workspace administrators assign account-level groups to their workspaces via terraform once they have been synchronized to the Databricks account? The Databricks provider documentation for the "databricks_permission_assignment" resource provides an example that uses a dedicated provider on account level. When attempting to read the group on account-level using a service principal with workspace adminstrator rights only returns an error (status 401). Based on some (more or less cryptic) descriptions, any account-level API can only be accessed by credentials with "Account Admin" rights (example reference).
For obvious reasons, service principals used to manage terraform state of a specific workspace should not be granted "Account Admin" rights. How can the service principal set up in a way that allows fetching the group id without granting "Account Admin" rights? Are there additional workspace-level APIs that I'm not aware of that can be used instead?
