cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Workspaces stuck in a provisioning state

Go to solution
Kirsten
New Contributor

2 weeks ago

We are attempting to create a workspace on Databricks but encountering an issue

Workspace provisioning has been stuck in PROVISIONING state for over 2 hours. Only partial resources were created (IAM role and S3 bucket), and no VPC or CloudFormation resources exist. This appears to have failed during early provisioning, likely due to IAM permission boundary restrictions preventing EC2 resource creation. The workspace cannot be deleted from the UI and no force delete option is available. Please manually reset or force-delete the workspace from the backend so we can retry deployment.


Or please guide us in the right direction. We have created a cross account role but cant seem to configure it in databricks and are presented with a 400 response code

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Ashwin_DSA
Databricks Employee
Databricks Employee

2 weeks ago

Hi @Kirsten,

I've checked internally. Based on what you described, this appears most consistent with the AWS credential/cross-account role validation failing early in workspace creation, rather than a later-stage workspace issue.

Can you verify the following? 

  1. When you create the cross-account role in AWS, the trusted Databricks AWS account should be 414351767826, and the required External ID should be your Databricks account ID from the account console, not your AWS account ID.
  2. Databricks validates the credential configuration when you add the role in the account console, and a 400 at that step can indicate an invalid ARN or incorrect role permissions.
  3. If your AWS organisation uses SCPs or permission boundaries, please make sure they do not block sts:AssumeRole or the required EC2/VPC actions. Databricks docs explicitly note that cross-account role setup can fail even when the IAM policy itself looks correct if SCPs deny AssumeRole or EC2/VPC access.
  4. If you are using a Databricks-managed VPC, the role needs EC2/VPC provisioning permissions such as ec2:CreateVpc, ec2:CreateSubnet, ec2:CreateRouteTable, and related actions used during initial workspace setup.

If the workspace is still stuck in PROVISIONING and cannot be deleted from the account console, please open a Databricks Support case and include:

  • Databricks account ID
  • Workspace ID or deployment name
  • AWS region
  • The exact 400 response body / error text from the credential configuration step
  • Whether you are using Databricks-managed VPC or customer-managed VPC
  • Whether SCPs / permission boundaries are enforced in the AWS account

That will let Support inspect the failed provisioning attempt and help with cleanup or next steps.

If this answer resolves your question, could you mark it as “Accept as Solution”? That helps other users quickly find the correct fix.

Regards,
Ashwin | Delivery Solution Architect @ Databricks
Helping you build and scale the Data Intelligence Platform.
***Opinions are my own***

View solution in original post

0 Kudos
1 REPLY 1

Go to solution
Ashwin_DSA
Databricks Employee
Databricks Employee

2 weeks ago

Hi @Kirsten,

I've checked internally. Based on what you described, this appears most consistent with the AWS credential/cross-account role validation failing early in workspace creation, rather than a later-stage workspace issue.

Can you verify the following? 

  1. When you create the cross-account role in AWS, the trusted Databricks AWS account should be 414351767826, and the required External ID should be your Databricks account ID from the account console, not your AWS account ID.
  2. Databricks validates the credential configuration when you add the role in the account console, and a 400 at that step can indicate an invalid ARN or incorrect role permissions.
  3. If your AWS organisation uses SCPs or permission boundaries, please make sure they do not block sts:AssumeRole or the required EC2/VPC actions. Databricks docs explicitly note that cross-account role setup can fail even when the IAM policy itself looks correct if SCPs deny AssumeRole or EC2/VPC access.
  4. If you are using a Databricks-managed VPC, the role needs EC2/VPC provisioning permissions such as ec2:CreateVpc, ec2:CreateSubnet, ec2:CreateRouteTable, and related actions used during initial workspace setup.

If the workspace is still stuck in PROVISIONING and cannot be deleted from the account console, please open a Databricks Support case and include:

  • Databricks account ID
  • Workspace ID or deployment name
  • AWS region
  • The exact 400 response body / error text from the credential configuration step
  • Whether you are using Databricks-managed VPC or customer-managed VPC
  • Whether SCPs / permission boundaries are enforced in the AWS account

That will let Support inspect the failed provisioning attempt and help with cleanup or next steps.

If this answer resolves your question, could you mark it as “Accept as Solution”? That helps other users quickly find the correct fix.

Regards,
Ashwin | Delivery Solution Architect @ Databricks
Helping you build and scale the Data Intelligence Platform.
***Opinions are my own***
0 Kudos
Announcements