cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Get Started Discussions
Start your journey with Databricks by joining discussions on getting started guides, tutorials, and introductory topics. Connect with beginners and experts alike to kickstart your Databricks experience.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Infrastructure question

horatiug
New Contributor III

โ€Ž10-04-2023 03:30 AM

We've noticed that the GKE worker nodes which are automatically created when Databricks workspace is created inside GCP project are using the default compute engine SA which's not the best security approach, even Google doesn't recommend using default resources inside production environments. Is there any option when creating the workspace to avoid using the Google default service account ?

0 Kudos
2 REPLIES 2

Kaniz_Fatma
Community Manager
Community Manager

โ€Ž10-04-2023 01:09 PM

Hi @horatiugthere is an option to avoid using the default service account when creating a Databricks workspace in a GCP project. You can create your workspaces in an existing customer-managed Virtual Private Cloud (VPC) that you make in your account. This allows you to exercise more control over your network configurations to comply with specific cloud security and governance standards that your organization may require. While creating a workspace, Databricks makes a service account and grants a role with the permissions needed to manage your workspace. If your workspace uses a customer-managed VPC, it does not need as many permissions. The part that Databricks creates omits permissions such as creating, updating, and deleting objects such as networks, routers, and subnets. 

Please note that you must specify the customer-managed VPC when you create the workspace through the account console. You cannot move an existing workspace with a Databricks-managed VPC to your own VPC.

Also, you cannot change which customer-managed VPC the workspace uses after workspace creation.

0 Kudos

horatiug
New Contributor III
In response to Kaniz_Fatma

โ€Ž10-05-2023 01:12 AM

Hi @Kaniz_Fatma 

we are already using custom VPC but the service account used is the the default compute engine. Expectation from our security team would be that when deploying the workspace a new SA is created in the project with required rights and not using the default compute engine SA.  

0 Kudos

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you wonโ€™t want to miss the chance to attend and share knowledge.

If there isnโ€™t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements