Error: cannot create mws credentials: Cannot complete request; user is unauthenticated

Andrei_Radulesc
Contributor III

I am configuring databricks_mws_credentials through Terraform on AWS. This used to work up to a couple days ago - now, I am getting "Error: cannot create mws credentials: Cannot complete request; user is unauthenticated".

My user/pw/account credentials are correct. They are passed through environment variables:

export TF_VAR_databricks_account_username="[...]"

export TF_VAR_databricks_account_password="[...]"

export TF_VAR_databricks_account_id="[...]"

I boiled it down to a minimal example showing the error. It is based on https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/mws_credentials:

terraform {

 required_providers {

   aws = {

     source = "hashicorp/aws"

     version = "~> 3.70.0"

   }

   databricks = {

     source = "databricks/databricks"

     version = "1.2.0"

   }

 }

 required_version = ">= 1.0.0"

}

provider "aws" {

 alias = "databricks"

 region = var.region

 assume_role {

   role_arn = "arn:aws:iam::${var.isee_databricks_aws_account_id}:role/terraform"

 }

}

// Initialize provider in "MWS" mode to provision the new workspace.

// See https://registry.terraform.io/providers/databricks/databricks/latest/docs#authentication

provider "databricks" {

 alias   = "mws"

 host    = "https://accounts.cloud.databricks.com"

 username = var.databricks_account_username

 password = var.databricks_account_password

}

data "databricks_aws_assume_role_policy" "this" {

 external_id = var.databricks_account_id

}

resource "aws_iam_role" "cross_account_role" {

 name              = "test-crossaccount"

 assume_role_policy = data.databricks_aws_assume_role_policy.this.json

}

data "databricks_aws_crossaccount_policy" "this" {

}

resource "aws_iam_role_policy" "this" {

 name  = "test-policy"

 role  = aws_iam_role.cross_account_role.id

 policy = data.databricks_aws_crossaccount_policy.this.json

}

resource "databricks_mws_credentials" "this" {

 provider        = databricks.mws

 account_id      = var.databricks_account_id

 credentials_name = "test-creds"

 role_arn        = aws_iam_role.cross_account_role.arn

}