Hello,
I want to authenticate the databricks provider using a system-managed identity in Azure. The identity resides in a different subscription than the databricks workspace:
- Grant the (system-assigned) managed identity the "Contributor" role on Subscription B. I can confirm via Azure portal that the app service behind the managed identity indeed has the "Contributor" role on the subscription in which the databricks workspace resides.
- Register the managed identity as a databricks service principal in the databricks workspace using its application id.
- Initialize the databricks provider with the following arguments:
- host: host address of the databricks workspace
- azure_workspace_resource_id: resource ID of azure workspace, obtained from an "azurerm_databricks_workspace" data object
- azure_client_id: application id of system-managed identity / registered databricks service principal.
- azure_use_msi: true
I tried to create a resource using this provider.
The terraform plan step looks good, i.e. the resource I want to create shows up in the planning step. However, during the apply step I encounter the following error:
Error: cannot create [redacted]: inner token: token error: ***"error":"invalid_request","error_description":"Identity not found"***
This error appears independent of the created resource (I tried several ones). The problems seems to be in the authentication with the managed identity.
Is it possible to authenticate the databricks provider using a system-managed identity? If yes, what would be the correct configuration for the provider and the environment in this setup? I am a bit confused on how to point the provider at the right identity to use. In order to point the provider to the correct identity / SPN, I set the parameter "azure_client_id" to the managed identity's application id. However, I am not sure whether this is correct.