cancel
Showing results for 
Search instead for 
Did you mean: 
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Do you need to be workspace admin to create jobs?

grazie
Contributor

We're using a setup where we use gitlab ci to deploy workflows using a service principal, using the Jobs API (2.1) https://docs.databricks.com/dev-tools/api/latest/jobs.html#operation/JobsCreate

When we wanted to reduce permissions of the ci to minimum privileges, it looks like it actually needs to be admin in the workspace to create jobs. Can that really be the case?

This is the error that we got

requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://adb-000000000000000.00.azuredatabricks.net/api/2.1/jobs/create

 Response from server: 

 { 'error_code': 'PERMISSION_DENIED',

 'message': 'User d2e55b97-c94a-4ba0-b11f-872bc4873fa8 is not a workspace '

       'admin'}

3 REPLIES 3

Anonymous
Not applicable

@Geir Iversen​ :

The error message you received indicates that the user account being used by GitLab CI does not have the necessary permissions to create jobs in the Databricks workspace. By default, only users with the "Workspace Admin" role can create jobs in a Databricks workspace.

To create jobs with a non-admin user, you can grant the necessary permissions to the service principal account that GitLab CI is using. You can grant the "Can Manage" permission on the Jobs resource to the service principal account.

grazie
Contributor

Got it, thanks for the response.

I'm not sure if you mean that we could set (1) permissions per job, or (2) if there is a way to set "CAN_MANAGE" for "Jobs" in the workspace generally?

Since this is a CI principal that deploys workflows using the API, it also controls the per Job permissions, so (1) would become a "chicken and egg" type problem where CI would first need permissions to create the job/workflow, but the job is not existing yet so that can't be done. (2) would be exactly what I'm looking for.

Anonymous
Not applicable

Hi @Geir Iversen​ 

Thank you for posting your question in our community! We are happy to assist you.

To help us provide you with the most accurate information, could you please take a moment to review the responses and select the one that best answers your question?

This will also help other community members who may have similar questions in the future. Thank you for your participation and let us know if you need any further assistance! 

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group