I am configuring databricks_mws_credentials through Terraform on AWS. This used to work up to a couple days ago - now, I am getting "Error: cannot create mws credentials: Cannot complete request; user is unauthenticated".
My user/pw/account credentials are correct. They are passed through environment variables:
export TF_VAR_databricks_account_username="[...]"
export TF_VAR_databricks_account_password="[...]"
export TF_VAR_databricks_account_id="[...]"
I boiled it down to a minimal example showing the error. It is based on https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/mws_credentials:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.70.0"
}
databricks = {
source = "databricks/databricks"
version = "1.2.0"
}
}
required_version = ">= 1.0.0"
}
provider "aws" {
alias = "databricks"
region = var.region
assume_role {
role_arn = "arn:aws:iam::${var.isee_databricks_aws_account_id}:role/terraform"
}
}
// Initialize provider in "MWS" mode to provision the new workspace.
// See https://registry.terraform.io/providers/databricks/databricks/latest/docs#authentication
provider "databricks" {
alias = "mws"
host = "https://accounts.cloud.databricks.com"
username = var.databricks_account_username
password = var.databricks_account_password
}
data "databricks_aws_assume_role_policy" "this" {
external_id = var.databricks_account_id
}
resource "aws_iam_role" "cross_account_role" {
name = "test-crossaccount"
assume_role_policy = data.databricks_aws_assume_role_policy.this.json
}
data "databricks_aws_crossaccount_policy" "this" {
}
resource "aws_iam_role_policy" "this" {
name = "test-policy"
role = aws_iam_role.cross_account_role.id
policy = data.databricks_aws_crossaccount_policy.this.json
}
resource "databricks_mws_credentials" "this" {
provider = databricks.mws
account_id = var.databricks_account_id
credentials_name = "test-creds"
role_arn = aws_iam_role.cross_account_role.arn
}
