Required permissions

For each workspace, Databricks creates a service account with the minimal permissions needed to create and manage the workspace. Your Google OAuth identity will be used to grant permissions to the service account on your project. All you have to do is click OK on a standard OAuth dialog. The Databricks account admin who creates the workspace must have the correct permissions on the project that was specified when the workspace was created.

Ensure that one of the following applies to you if you plan to create workspaces:

You are the Project Owner of the Google Cloud project that you specify during workspace creation.
You are the Project Editor and the IAM Admin for the Google Cloud project that you specify during workspace creation.

The set of project permissions that Databricks grants to the service account includes the permissions associated with the following roles:

Kubernetes Admin (built-in role)
Compute Storage Admin (built-in role)
Permissions for a custom role that Databricks automatically creates while launching a workspace.

See following list of permissions and how Databricks uses each one:

Required user permissions or service account permissions to create a workspace.
Permissions in the custom role that Databricks grants to the service account.

The rightmost column specifies one or more phases of the Databricks application:

Launch: Needed for initial launch of a Databricks workspace.
Operational: Needed for general ongoing functionality of a Databricks workspace.
Repair: Needed for potential repair of a Databricks workspace.
Delete: Needed for deletion of a workspace.

Required user permissions or service account permissions to create a workspace

To create a workspace, you must have the following Google permissions on your account, which can be a Google Account or a service account.

Google permission	Purpose	Required for phase
`iam.roles.create`	Create the custom role.	Launch
`iam.roles.delete`	Delete the custom role.	Delete
`iam.roles.get`	Get the custom role.	Launch
`iam.roles.update`	Update the custom role.	Repair
`iam.serviceAccounts.getIamPolicy`	Get IAM policy.	Launch
`iam.serviceAccounts.setIamPolicy`	Set IAM policy.	Launch
`resourcemanager.projects.get`	Get a project number from its project ID.	Launch
`resourcemanager.projects.getIamPolicy`	Get IAM policy	Launch
`resourcemanager.projects.setIamPolicy`	Set IAM policy	Launch
`serviceusage.services.get`	Validate whether the customer project has enabled the required Google Cloud APIs.	Launch
`serviceusage.services.list`	Validate whether the customer project has enabled the required Google Cloud APIs.	Launch
`serviceusage.services.enable`	Enable the required Google Cloud APIs on the project if they are not already enabled.	Launch

Permissions in the custom role that Databricks grants to the service account

While creating a workspace, Databricks creates a service account and grants a role with permissions that Databricks needs to manage your workspace.

If your workspace uses a customer-managed VPC, it does not need as many permissions. The role that Databricks creates omits permissions such as creating, updating, and deleting objects such as networks, routers, and subnets. For the full list, see Permissions in the custom role that Databricks grants to the service account.

Google permission	Purpose	Required for phase
`compute.globalOperations.get`	Visibility into GCE operations during GCE outages.	Operational
`compute.instanceGroups.get`	GCE troubleshooting.	Operational
`compute.instanceGroups.list`	GCE troubleshooting.	Operational
`compute.instances.get`	GCE troubleshooting.	Operational
`compute.instances.list`	GCE troubleshooting.	Operational
`compute.networks.access`	Manage network resources.	Operational
`compute.networks.create`	Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.	Launch
`compute.networks.delete`	Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.	Delete
`compute.networks.get`	Manage network resources.	Launch, Operational
`compute.networks.getEffectiveFirewalls`	Manage network resources.	Operational
`compute.networks.update`	Manage network resources.	Repair
`compute.networks.updatePolicy`	Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.	Repair
`compute.networks.use`	Manage network resources.	Operational
`compute.networks.useExternalIp`	Manage network resources.	Launch
`compute.regionOperations.get`	Visibility into GCE operations during GCE outages.	Operational
`compute.routers.create`	Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.	Launch
`compute.routers.delete`	Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.	Delete
`compute.routers.get`	Manage network resources.	Operational
`compute.routers.update`	Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.	Repair
`compute.routers.use`	Manage network resources.	Operational
`compute.subnetworks.create`	Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.	Launch
`compute.subnetworks.delete`	Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.	Delete
`compute.subnetworks.expandIpCidrRange`	Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.	Repair
`compute.subnetworks.get`	Manage network resources.	Operational
`compute.subnetworks.getIamPolicy`	Manage network resources.	Repair
`compute.subnetworks.setIamPolicy`	Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.	Launch
`compute.subnetworks.setPrivateIpGoogleAccess`	Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.	Launch
`compute.subnetworks.update`	Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.	Repair
`compute.subnetworks.use`	Manage network resources.	Operational
`compute.subnetworks.useExternalIp`	Manage network resources.	Launch
`container.clusterRoleBindings.create`	Manage GKE cluster.	Operational
`container.clusterRoleBindings.get`	Manage GKE cluster.	Operational
`container.clusterRoles.bind`	Manage GKE cluster.	Operational
`container.clusterRoles.create`	Manage GKE cluster.	Operational
`container.clusterRoles.get`	Manage GKE cluster.	Operational
`container.clusters.create`	Manage GKE cluster.	Operational
`container.clusters.delete`	Manage GKE cluster.	Operational
`container.clusters.get`	Manage GKE cluster.	Operational
`container.clusters.getCredentials`	Manage GKE cluster.	Operational
`container.clusters.list`	Manage GKE cluster.	Operational
`container.clusters.update`	Manage GKE cluster.	Operational
`container.configMaps.create`	Manage GKE cluster.	Operational
`container.configMaps.get`	Manage GKE cluster.	Operational
`container.configMaps.update`	Manage GKE cluster.	Operational
`container.customResourceDefinitions.create`	Manage GKE cluster.	Operational
`container.customResourceDefinitions.get`	Manage GKE cluster.	Operational
`container.customResourceDefinitions.update`	Manage GKE cluster.	Operational
`container.daemonSets.create`	Manage GKE cluster.	Operational
`container.daemonSets.get`	Manage GKE cluster.	Operational
`container.daemonSets.update`	Manage GKE cluster.	Operational
`container.deployments.create`	Manage GKE cluster.	Operational
`container.deployments.get`	Manage GKE cluster.	Operational
`container.deployments.update`	Manage GKE cluster.	Operational
`container.jobs.create`	Manage GKE cluster.	Operational
`container.jobs.get`	Manage GKE cluster.	Operational
`container.jobs.update`	Manage GKE cluster.	Operational
`container.namespaces.create`	Manage GKE cluster.	Operational
`container.namespaces.get`	Manage GKE cluster.	Operational
`container.namespaces.list`	Manage GKE cluster.	Operational
`container.operations.get`	Manage GKE cluster.	Operational
`container.pods.get`	Manage GKE cluster.	Operational
`container.pods.getLogs`	Manage GKE cluster.	Operational
`container.pods.list`	Manage GKE cluster.	Operational
`container.roleBindings.create`	Manage GKE cluster.	Operational
`container.roleBindings.get`	Manage GKE cluster.	Operational
`container.roles.bind`	Manage GKE cluster.	Operational
`container.roles.create`	Manage GKE cluster.	Operational
`container.roles.get`	Manage GKE cluster.	Operational
`container.secrets.create`	Manage GKE cluster.	Operational
`container.secrets.get`	Manage GKE cluster.	Operational
`container.secrets.update`	Manage GKE cluster.	Operational
`container.serviceAccounts.create`	Manage GKE cluster.	Operational
`container.serviceAccounts.get`	Manage GKE cluster.	Operational
`container.services.create`	Manage GKE cluster.	Operational
`container.services.get`	Manage GKE cluster.	Operational
`container.thirdPartyObjects.create`	Manage GKE cluster.	Operational
`container.thirdPartyObjects.delete`	Manage GKE cluster.	Operational
`container.thirdPartyObjects.get`	Manage GKE cluster.	Operational
`container.thirdPartyObjects.list`	Manage GKE cluster.	Operational
`container.thirdPartyObjects.update`	Manage GKE cluster.	Operational
`iam.serviceAccounts.getIamPolicy`	Inspect Google service accounts or bind them to a cluster.	Operational
`iam.serviceAccounts.setIamPolicy`	Inspect Google service accounts or bind them to a cluster.	Operational
`resourcemanager.projects.get`	Converting customer project ID to a project number.	Launch, Operational
`resourcemanager.projects.getIamPolicy`	Check if the project IAM policy is correctly configured.	Launch
`storage.buckets.create`	Implement DBFS, internal artifacts, and logging.	Launch
`storage.buckets.delete`	Implement DBFS, internal artifacts, and logging.	Delete
`storage.buckets.get`	Implement DBFS, internal artifacts, and logging.	Operational
`storage.buckets.getIamPolicy`	Implement DBFS, internal artifacts, and logging.	Operational
`storage.buckets.list`	Implement DBFS, internal artifacts, and logging.	Operational
`storage.buckets.setIamPolicy`	Implement DBFS, internal artifacts, and logging.	Repair
`storage.buckets.update`	Implement DBFS, internal artifacts, and logging.	Operational
`storage.hmacKeys.create`	Implement DBFS, internal artifacts, and logging.	Launch
`storage.hmacKeys.delete`	Implement DBFS, internal artifacts, and logging.	Delete
`storage.hmacKeys.get`	Implement DBFS, internal artifacts, and logging.	Operational
`storage.hmacKeys.list`	Implement DBFS, internal artifacts, and logging.	Operational
`storage.hmacKeys.update`	Implement DBFS, internal artifacts, and logging.	Operational
`storage.objects.create`	Implement DBFS, internal artifacts, and logging.	Launch, Operational
`storage.objects.delete`	Implement DBFS, internal artifacts, and logging.	Operational
`storage.objects.get`	Implement DBFS, internal artifacts, and logging.	Operational
`storage.objects.getIamPolicy`	Implement DBFS, internal artifacts, and logging.	Operational
`storage.objects.list`	Implement DBFS, internal artifacts, and logging.	Operational
`storage.objects.setIamPolicy`	Implement DBFS, internal artifacts, and logging.	Launch
`storage.objects.update`	Implement DBFS, internal artifacts, and logging.	Operational