Databricks Community

SørenBrandt2 · yesterday

Dear All,

Using a Terraform workspace-level provider, I am trying to add an Entra Id group to the account, and then assign permissions to the group.

The Terraform provider runs in the context of an Entra Id user account with workspace admin permissions, and without account admin permissions.

The following code successfully adds the group to the workspace:

resource "databricks_group" "users" {
display_name = "Entra Id group name"
external_id = "Entra Id group object id"
}

Then, to assign User permissions on the workspace to the group:

resource "databricks_permission_assignment" "workspace_user" {
principal_id = databricks_group.users.id
permissions = ["USER"]
}

The Terraform PLAN phase does as expected, but then in the apply phase, I get the error "Error: cannot create permission assignment: Principal not found in account." That is, I can register the group, but I cannot read account level metadata about the group.

The above is consistent with what I see in the workspace Settings/Identity and access/Groups panel: I can add a group to the Workspace. But if I afterwards click the group to see group information, I get the error: "Call failed to /ajax/...: Group with id XXXXXX not found, ...".

Any ideas on how I can make this work?

Further context:

In my Databricks account, I have "Automatic identity management" enabled.
The account I use when running Terraform is Workspace admin but not Databricks Account admin.
I can make it work if I run the Terraform code with Databricks account admin permissions and using an account level provider to register the Entra Id group, it works. However, this is not an option for me in production.

BR,

Søren

nayan_wylde · yesterday

@SørenBrandt2 Here are few quick checks you can do and rerun.

1. Please make sure the Service Principle running the terraform code have Group Manager role on the specific account group. With that role, it can read that group at the account and retrieve the principal_id without being a full Account Admin. Databricks’ identity docs confirm “group managers can manage group membership” and that workspace admins can add groups to the account in identity‑federated setups; but the least‑privilege “Group Manager” just for the required groups is often acceptable in regulated environments.

2. Verify the group exists at the account first (AIM). With Automatic identity management enabled, Entra ID users/SPNs/groups are visible at the account and are marked External; they’re synced from Entra ID. Don’t rely on externalId for automation—Databricks warns it can change; prefer the stable Databricks id (principal_id).

3. Use the account provider only to resolve principal IDs, then perform the workspace assignment with the workspace provider.

provider "databricks" {
alias = "account"
host = "https://accounts.azuredatabricks.net"
# Azure Databricks Account Console ID is constant:
account_id = ""
# authenticate with a principal that can read the group at the account
}

# --- Workspace-scope provider (this is how you authenticate today) ---
provider "databricks" {
alias = "workspace"
host = var.workspace_url
}

SørenBrandt2 · yesterday

Hi Nayan,

Thank you for your response!

Your first point "Please make sure the Service Principle running the terraform code have Group Manager role on the specific account group" actually nails my challenge, although I did not spell this out in my question.

So far, to make it work, I have been doing as follows:

Ask a databricks account admin to:
1. Register the Entra Id group in the Databricks account.
2. Assign "Group: Manage" permissions to the Service Principal running Terraform.
3. Resolve the group principal ID and provide it as input to my Terraform script
Run my Terraform code with a service principal with workspace (but not account) admin privileges to perform the remaining work.

So what I am looking for is really a way to do steps 1a-c without having to bother a Databricks account admin.

Is that possible at the moment, I wonder?