Required permissions

For each workspace, Databricks creates a service account with the minimal permissions needed to create and manage the workspace. Your Google OAuth identity will be used to grant permissions to the service account on your project. All you have to do is click OK on a standard OAuth dialog. The Databricks account admin who creates the workspace must have the correct permissions on the project that was specified when the workspace was created.

Ensure that one of the following applies to you if you plan to create workspaces:

  • You are the Project Owner of the Google Cloud project that you specify during workspace creation.

  • You are the Project Editor and the IAM Admin for the Google Cloud project that you specify during workspace creation.

The set of project permissions that Databricks grants to the service account includes the permissions associated with the following roles:

  • Kubernetes Admin (built-in role)

  • Compute Storage Admin (built-in role)

  • Permissions for a custom role that Databricks automatically creates while launching a workspace.

Required user permissions or service account permissions to create a workspace

To create a workspace, you must have the following Google Cloud IAM permissions on your resources. The workspace project refers to the Google Cloud project specified during workspace creation. The workspace service account refers to the service account that Databricks creates. Databricks grants a role to that service account with permissions that Databricks needs to manage your workspace.

Google permission

Purpose

compute.networks.get

Validate the existence of a VPC network. This is required to validate network resources for a customer-provided VPC network, which may belong to a project other than the workspace project. This permission is not required if the workspace uses the default VPC, in other words if it does not use a customer-managed VPC.

compute.projects.get

Get the host project of a VPC network. This is required to validate network resources for a customer-provided VPC network, which may belong to a project other than the workspace project. This permission is not required if the workspace uses the default VPC, in other words if it does not use a customer-managed VPC.

compute.subnetworks.get

Validate subnets of a VPC network. This is required to validate network resources for a customer-provided VPC network, which may belong to a project other than the workspace project. This permission is not required if the workspace uses the default VPC, in other words if it does not use a customer-managed VPC.

iam.roles.create

Create the custom role. This is required to create and manage a custom role for granting permissions to the workspace’s service account.

iam.roles.delete

Delete the custom role. This is required to create and manage a custom role for granting permissions to the workspace’s service account.

iam.roles.get

Get the custom role. This is required to create and manage a custom role for granting permissions to the workspace’s service account.

iam.roles.update

Update the custom role. This is required to create and manage a custom role for granting permissions to the workspace’s service account.

iam.serviceAccounts.getIamPolicy

Get IAM policy. This is required to grant and manage the workspace service account’s Service Account User role on the Google Cloud Compute Engine (GCE) service account for launching GKE clusters.

iam.serviceAccounts.setIamPolicy

Set IAM policy. This is required to grant and manage the workspace service account’s Service Account User role on the Google Cloud Compute Engine (GCE) service account for launching GKE clusters.

resourcemanager.projects.get

Get a project number from its project ID. This is required to get basic information about the workspace project.

resourcemanager.projects.getIamPolicy

Get IAM policy. This is required to grant permissions on the workspace project to the workspace service account.

resourcemanager.projects.setIamPolicy

Set IAM policy. This is required to grant permissions on the workspace project to the workspace service account.

resourcemanager.projects.testIamPermissions

Test IAM policy. This is required to grant permissions on the workspace project to the workspace service account.

serviceusage.services.get

Validate whether the customer project has enabled the required Google Cloud APIs. This is required to enable Google Cloud services that Databricks workloads need.

serviceusage.services.list

Validate whether the customer project has enabled the required Google Cloud APIs. This is required to enable Google Cloud services that Databricks workloads need.

serviceusage.services.enable

Enable the required Google Cloud APIs on the project if they are not already enabled. This is required to enable Google Cloud services that Databricks workloads need.

Permissions in the custom role that Databricks grants to the service account

While creating a workspace, Databricks creates a service account and grants a role with permissions that Databricks needs to manage your workspace. This section refers to this as the workspace service account.

If your workspace uses a customer-managed VPC, it does not need as many permissions. The role that Databricks creates omits permissions such as creating, updating, and deleting objects such as networks, routers, and subnets. The following table lists the role’s permissions.

In addition to the permissions in the table, the following predefined roles are required for the workspace service account.

  • GKE Admin Role: This is required to operate and manage customer workloads running on GKE.

  • GCE Storage Admin Role: This is required to operate and manage Google Compute Engine (GCE) persistent storages associated with GKE.

Google permission

Purpose

compute.globalOperations.get

Get operation data for visibility into GCE operations during GCE outages. This is required to manage GCE resources to run workloads.

compute.instanceGroups.get

Get instance groups for GCE troubleshooting. This is required to manage GCE resources to run workloads.

compute.instanceGroups.list

List instance groups for GCE troubleshooting. This is required to manage GCE resources to run workloads.

compute.instances.get

Get compute instances. This is required to manage GCE resources to run workloads.

compute.instances.list

List compute instances for GCE troubleshooting. This is required to manage GCE resources to run workloads.

compute.instances.setLabels

Set compute instance labels. This is required to manage GCE resources to run workloads.

compute.disks.get

Get disks. This is required to manage GCE resources to run workloads.

compute.disks.setLabels

Set disk labels. This is required to manage GCE resources to run workloads.

compute.networks.access

Manage network resources. This is required to manage GCE resources to run workloads.

compute.networks.create

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account. This is required to manage GCE resources to run workloads.

compute.networks.delete

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account. This is required to manage GCE resources to run workloads.

compute.networks.get

Manage network resources. This is required to manage GCE resources to run workloads.

compute.networks.getEffectiveFirewalls

Manage network resources. This is required to manage GCE resources to run workloads.

compute.networks.update

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account. This is required to manage GCE resources to run workloads.

compute.networks.updatePolicy

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account. This is required to manage GCE resources to run workloads.

compute.networks.use

Manage network resources. This is required to manage GCE resources to run workloads.

compute.networks.useExternalIp

Manage network resources. This is required to manage GCE resources to run workloads.

compute.regionOperations.get

Get region operations for visibility into Google Compute Engine (GCE) operations during GCE outages. This is required to manage GKE clusters to run workloads.

compute.routers.create

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account. This is required to manage GCE resources to run workloads.

compute.routers.delete

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account. This is required to manage GCE resources to run workloads.

compute.routers.get

Manage network resources. This is required to manage GCE resources to run workloads.

compute.routers.update

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account. This is required to manage GCE resources to run workloads.

compute.routers.use

Manage network resources. This is required to manage GCE resources to run workloads.

compute.subnetworks.create

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account. This is required to manage GCE resources to run workloads.

compute.subnetworks.delete

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.

compute.subnetworks.expandIpCidrRange

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account. This is required to manage GCE resources to run workloads.

compute.subnetworks.get

Manage network resources. This is required to manage GCE resources to run workloads.

compute.subnetworks.getIamPolicy

Manage network resources. This is required to manage GCE resources to run workloads.

compute.subnetworks.setIamPolicy

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account. This is required to manage GCE resources to run workloads.

compute.subnetworks.setPrivateIpGoogleAccess

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account. This is required to manage GCE resources to run workloads.

compute.subnetworks.update

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account. This is required to manage GCE resources to run workloads.

compute.subnetworks.use

Manage network resources. This is required to manage GCE resources to run workloads.

compute.subnetworks.useExternalIp

Manage network resources. This is required to manage GCE resources to run workloads.

container.clusterRoleBindings.create

Create cluster role bindings. This is required to manage GKE clusters to run workloads.

container.clusterRoleBindings.get

Get cluster role bindings. This is required to manage GKE clusters to run workloads.

container.clusterRoles.bind

Bind cluster role bindings. This is required to manage GKE clusters to run workloads.

container.clusterRoles.create

Create cluster roles. This is required to manage GKE clusters to run workloads.

container.clusterRoles.get

Get cluster roles. This is required to manage GKE clusters to run workloads.

container.clusters.create

Create cluster roles. This is required to manage GKE clusters to run workloads.

container.clusters.delete

Delete cluster roles. This is required to manage GKE clusters to run workloads.

container.clusters.get

Get clusters. This is required to manage GKE clusters to run workloads.

container.clusters.getCredentials

Get cluster credentials. This is required to manage GKE clusters to run workloads.

container.clusters.list

List clusters. This is required to manage GKE clusters to run workloads.

container.clusters.update

Update clusters. This is required to manage GKE clusters to run workloads.

container.configMaps.create

Create configMaps. This is required to manage GKE clusters to run workloads.

container.configMaps.get

Get configMaps. This is required to manage GKE clusters to run workloads.

container.configMaps.update

Update configMaps. This is required to manage GKE clusters to run workloads.

container.customResourceDefinitions.create

Create custom resource definitions. This is required to manage GKE clusters to run workloads.

container.customResourceDefinitions.get

Get custom resource definitions. This is required to manage GKE clusters to run workloads.

container.customResourceDefinitions.update

Update custom resource definitions. This is required to manage GKE clusters to run workloads.

container.daemonSets.create

Create daemon sets. This is required to manage GKE clusters to run workloads.

container.daemonSets.get

Get daemon sets. This is required to manage GKE clusters to run workloads.

container.daemonSets.update

Update daemon sets. This is required to manage GKE clusters to run workloads.

container.deployments.create

Create deployments. This is required to manage GKE clusters to run workloads.

container.deployments.get

Get deployments. This is required to manage GKE clusters to run workloads.

container.deployments.update

Update deployments. This is required to manage GKE clusters to run workloads.

container.jobs.create

Create job. This is required to manage GKE clusters to run workloads.

container.jobs.get

Get job. This is required to manage GKE clusters to run workloads.

container.jobs.update

Update job. This is required to manage GKE clusters to run workloads.

container.namespaces.create

Create namespace. This is required to manage GKE clusters to run workloads.

container.namespaces.get

Get namespace. This is required to manage GKE clusters to run workloads.

container.namespaces.list

List namespaces. This is required to manage GKE clusters to run workloads.

container.operations.get

Get operations. This is required to manage GKE clusters to run workloads.

container.pods.get

Get pods. This is required to manage GKE clusters to run workloads.

container.pods.getLogs

Get pod logs. This is required to manage GKE clusters to run workloads.

container.pods.list

List pods. This is required to manage GKE clusters to run workloads.

container.roleBindings.create

Create role bindings. This is required to manage GKE clusters to run workloads.

container.roleBindings.get

Get role bindings. This is required to manage GKE clusters to run workloads.

container.roles.bind

Bind roles. This is required to manage GKE clusters to run workloads.

container.roles.create

Create roles. This is required to manage GKE clusters to run workloads.

container.roles.get

Get roles. This is required to manage GKE clusters to run workloads.

container.secrets.create

Create secret. This is required to manage GKE clusters to run workloads.

container.secrets.get

Get a secret. This is required to manage GKE clusters to run workloads.

container.secrets.update

Update a secret. This is required to manage GKE clusters to run workloads.

container.serviceAccounts.create

Create a service account. This is required to manage GKE clusters to run workloads.

container.serviceAccounts.get

Get a service account. This is required to manage GKE clusters to run workloads.

container.services.create

Create a service. This is required to manage GKE clusters to run workloads.

container.services.get

Get a service. This is required to manage GKE clusters to run workloads.

container.thirdPartyObjects.create

Create a third-party object. This is required to manage GKE clusters to run workloads.

container.thirdPartyObjects.delete

Delete a third-party object. This is required to manage GKE clusters to run workloads.

container.thirdPartyObjects.get

Get a third-party object. This is required to manage GKE clusters to run workloads.

container.thirdPartyObjects.list

List third-party objects. This is required to manage GKE clusters to run workloads.

container.thirdPartyObjects.update

Update a third-party object. This is required to manage GKE clusters to run workloads.

iam.serviceAccounts.getIamPolicy

Inspect service accounts or bind them to a cluster. This is required to configure GKE Workload Identity for a cluster’s service account to access your data.

iam.serviceAccounts.setIamPolicy

Inspect service accounts or bind them to a cluster. This is required to configure GKE Workload Identity for a cluster’s service account to access your data.

resourcemanager.projects.get

Convert customer project ID to a project number. This is required to validate the Google project status, such as whether it’s live and the workspace service account has enough permissions.

resourcemanager.projects.getIamPolicy

Check if the project IAM policy is correctly configured. This is required to validate the Google project status, such as whether it’s live and the workspace service account has enough permissions.

storage.buckets.create

Create a bucket. This is required to create and manage GCS buckets for DBFS, internal artifacts, and logging.

storage.buckets.delete

Delete a bucket. This is required to create and manage GCS buckets for DBFS, internal artifacts, and logging.

storage.buckets.get

Get a bucket. This is required to create and manage GCS buckets for DBFS, internal artifacts, and logging.

storage.buckets.getIamPolicy

Get storage IAM policy. This is required to create and manage GCS buckets for DBFS, internal artifacts, and logging.

storage.buckets.list

List buckets. This is required to create and manage GCS buckets for DBFS, internal artifacts, and logging.

storage.buckets.setIamPolicy

Set storage IAM policy. This is required to create and manage GCS buckets for DBFS, internal artifacts, and logging.

storage.buckets.update

Update storage IAM policy. This is required to create and manage GCS buckets for DBFS, internal artifacts, and logging.

storage.hmacKeys.create

Create HMAC keys. This is required to create and manage GCS buckets for DBFS, internal artifacts, and logging.

storage.hmacKeys.delete

Delete HMAC keys. This is required to create and manage GCS buckets for DBFS, internal artifacts, and logging.

storage.hmacKeys.get

Get HMAC keys. This is required to create and manage GCS buckets for DBFS, internal artifacts, and logging.

storage.hmacKeys.list

List HMAC keys. This is required to create and manage GCS buckets for DBFS, internal artifacts, and logging.

storage.hmacKeys.update

Update HMAC keys This is required to create and manage GCS buckets for DBFS, internal artifacts, and logging.

storage.objects.create

Create a storage object. This is required to read and write DBFS objects, internal artifacts, and logging.

storage.objects.delete

Delete storage object. This is required to read and write DBFS objects, internal artifacts, and logging.

storage.objects.get

Get a storage object. This is required to read and write DBFS objects, internal artifacts, and logging.

storage.objects.getIamPolicy

Get a storage object IAM policy. This is required to read and write DBFS objects, internal artifacts, and logging.

storage.objects.list

List storage objects. This is required to read and write DBFS objects, internal artifacts, and logging.

storage.objects.setIamPolicy

Set storage object IAM policy. This is required to read and write DBFS objects, internal artifacts, and logging.

storage.objects.update

Update a storage object. This is required to read and write DBFS objects, internal artifacts, and logging.