cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Unable to create databricks group and add permission via terraform

soumiknow
Contributor II

โ€Ž07-02-2025 01:19 AM

I have the following terraform code to create a databricks group and add permission to a workflow:

 

resource "databricks_group" "dbx_group" {
  display_name = "ENV_MONITORING_TEAM"
}

resource "databricks_permissions" "workflow_permission" {
  job_id = databricks_job.workflow.id
  access_control {
    group_name       = databricks_group.dbx_group.display_name
    permission_level = "CAN_MANAGE_RUN"
  }
}

I have the following databricks terraform provider:

provider "databricks" {
  alias                  = "workspace"
  host                   = local.dbx_host
  google_service_account = local.gcp_sa
}

Now, when I execute 'terraform plan', it returned error:

Error: cannot create group: failed during request visitor: default auth: cannot configure default credentials, please check https://docs.databricks.com/en/dev-tools/auth.html#databricks-client-unified-authentication to configure credentials for your preferred authentication method

If I use the 'host' & the generated 'token' values in '.databrickscfg' file, then 'terraform plan' and 'terraform apply' worked, but I have to use the 'google_service_account' directly to execute the group creation code.

Please suggest what needs to be done here in the existing provider so that the group and permission can be created via terraform.

0 Kudos
1 REPLY 1

Louis_Frolio
Databricks Employee
Databricks Employee

Monday

Greetings @soumiknow , I did some digging internally and found something that may help:

Based on the information gathered, I can now draft a comprehensive response to this Databricks Community question about the Terraform authentication issue.

## Draft Response for Databricks Community

The authentication error you're encountering occurs because the Databricks Terraform provider needs proper Application Default Credentials (ADC) configured when using the `google_service_account` parameter. The issue is that while you've specified the service account in your provider configuration, Terraform cannot automatically generate the necessary authentication tokens without additional setup.

Solution

To resolve this issue, you need to set up Google Cloud ID authentication with impersonation. Here's what needs to be configured:

Step 1: Ensure Service Account Permissions

The Google Cloud service account specified in `local.gcp_sa` must be added as a user in your Databricks workspace with appropriate permissions to create groups and manage permissions.

Step 2: Configure Authentication via Google Cloud CLI

Before running Terraform, you need to authenticate using the Google Cloud CLI with impersonation. Run this command in your terminal:

```bash
gcloud auth login --impersonate-service-account=YOUR_SERVICE_ACCOUNT_EMAIL
```

Replace `YOUR_SERVICE_ACCOUNT_EMAIL` with the email address of your service account (e.g., `service-account@project.iam.gserviceaccount.com`) .

Step 3: Set Application Default Credentials

After authentication, set up Application Default Credentials that Terraform can use:

```bash
gcloud auth application-default login
```

This ensures that the Terraform provider can access the credentials needed to authenticate on behalf of the service account.

Step 4: Verify IAM Permissions

Your Google Cloud user account needs the following IAM roles to impersonate the service account:

- Service Account Token Creator
- Service Account User

Alternative Approach: Use Environment Variables

If you prefer not to use impersonation, you can set environment variables that the Databricks provider will automatically detect [4]:

```bash
export DATABRICKS_HOST="your-workspace-url"
export DATABRICKS_GOOGLE_SERVICE_ACCOUNT="service-account@project.iam.gserviceaccount.com"
```

Then simplify your provider configuration:

```hcl
provider "databricks" {
alias = "workspace"
}
```

The provider will automatically pick up these environment variables.

Why Token-Based Authentication Works

When you manually specify `host` and `token` in `.databrickscfg`, you're using Personal Access Token (PAT) authentication, which doesn't require the complex OAuth flow that Google Cloud ID authentication uses. However, using service accounts is more secure for automation scenarios and doesn't require managing PAT expiration.

Additional Verification

After configuring authentication, test it with the Databricks CLI before running Terraform:

```bash
databricks groups list
```

If this command succeeds, your Terraform configuration should work as well.

Regards, Louis

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local communityโ€”sign up today to get started!

Sign Up Now
Announcements