Databricks Community

Greetings @Jeff4 ,  thanks for laying out the setup and symptoms so clearly. Short answer: it’s not required that the workspace-creating service account be hosted in the same GCP project as the workspace; cross‑project is supported. The failure you’re seeing is almost certainly due to missing or restricted permissions on the target workspace project (most commonly the absence/disablement of the Compute Engine default service account), not the location of SA2 itself.

What’s supported

• A Databricks account admin (user or service account) can create a workspace as long as they hold the required Google permissions on the target workspace project. The creator can be from a different project; the key is having rights on the workspace project where Databricks will deploy resources.
• During creation, Databricks uses the workspace creator’s credentials to grant permissions to a per‑workspace service account and to set up required resources in your project. That process requires specific IAM privileges on the target project.

Likely root cause of “Failed / Unknown Error”

Cross‑project SA2 vs same‑project SA2

• It is not required that SA2 live in the workspace project; cross‑project identities work as long as SA2 has the necessary IAM on the workspace project (and any host project if using Shared VPC). The “same‑project” success you observed likely indicates the target project had the required compute SA and/or fewer org policy restrictions, rather than a platform limitation about SA location.

Required permissions for the workspace creator (SA2)

• Ability to get/set IAM policy on service accounts to grant Service Account User on the GCE service account used for clusters.
• If using a customer‑managed VPC, ability to create firewall rules in the VPC project (which may be different from the workspace project).
• If using customer‑managed keys, permissions to access KMS key policies (cloudkms.cryptoKeys.getIamPolicy).
• Databricks will automatically enable Compute Engine API and Cloud Storage API on the project at creation time if needed. Confirm your org policy allows this.

Checks and fixes

• Verify the Compute Engine default service account exists and is active in the target workspace project: bash gcloud iam service-accounts list --project <WORKSPACE_PROJECT_ID> \ --format="value(email)" | grep "compute@developer.gserviceaccount.com" If it’s missing (and the project is older than ~30 days), create a fresh project or pre‑provision a compliant compute SA and coordinate to use it; otherwise Databricks workspace creation will fail.
• Confirm SA2 has the required IAM on the target project(s) per “Required permissions” above; Owner typically covers the needed actions, but org policies (e.g., Domain Restricted Sharing, constraints on who can be added as members) can block grants even for owners.
• If your org enforces Domain Restricted Sharing, ensure Databricks’ Google Workspace customer ID is allowed at the org or project level, and that cross‑project identities are permitted under your constraints.
• From the account console, click the workspace row to look for a more specific error than “Unknown Error.” If present, it often points directly to the missing GCP identity or permission. If it remains opaque, delete and recreate after fixing the compute SA issue; failed workspaces cannot be updated in place.

Bottom line

• a) “Workspace creation can only be conducted by an SA hosted on the workspace project” → False. Cross‑project SA2 is fine.
• b) “There are additional roles to enable SA2 from a different project” → True, with the nuance that the most common blocker is the target project missing the Compute Engine default service account (or policies blocking its use), not the SA’s origin. Make sure SA2 has the exact required permissions on the workspace project and that the compute SA exists/enabled.