Required permissions

For each workspace, Databricks creates a service account with the minimal permissions needed to create and manage the workspace. Your Google OAuth identity will be used to grant permissions to the service account on your project. All you have to do is click OK on a standard OAuth dialog. The Databricks account admin who creates the workspace must have the correct permissions on the project that was specified when the workspace was created.

Ensure that one of the following applies to you if you plan to create workspaces:

  • You are the Project Owner of the Google Cloud project that you specify during workspace creation.

  • You are the Project Editor and the IAM Admin for the Google Cloud project that you specify during workspace creation.

The set of project permissions that Databricks grants to the service account includes the permissions associated with the following roles:

  • Kubernetes Admin (built-in role)

  • Compute Storage Admin (built-in role)

  • Permissions for a custom role that Databricks automatically creates while launching a workspace.

See following list of permissions and how Databricks uses each one:

The rightmost column specifies one or more phases of the Databricks application:

  • Launch: Needed for initial launch of a Databricks workspace.

  • Operational: Needed for general ongoing functionality of a Databricks workspace.

  • Repair: Needed for potential repair of a Databricks workspace.

  • Delete: Needed for deletion of a workspace.

Required user permissions or service account permissions to create a workspace

To create a workspace, you must have the following Google permissions on your account, which can be a Google Account or a service account.

Google permission

Purpose

Required for phase

iam.roles.create

Create the custom role.

Launch

iam.roles.delete

Delete the custom role.

Delete

iam.roles.get

Get the custom role.

Launch

iam.roles.update

Update the custom role.

Repair

iam.serviceAccounts.getIamPolicy

Get IAM policy.

Launch

iam.serviceAccounts.setIamPolicy

Set IAM policy.

Launch

resourcemanager.projects.get

Get a project number from its project ID.

Launch

resourcemanager.projects.getIamPolicy

Get IAM policy

Launch

resourcemanager.projects.setIamPolicy

Set IAM policy

Launch

serviceusage.services.get

Validate whether the customer project has enabled the required Google Cloud APIs.

Launch

serviceusage.services.list

Validate whether the customer project has enabled the required Google Cloud APIs.

Launch

serviceusage.services.enable

Enable the required Google Cloud APIs on the project if they are not already enabled.

Launch

Permissions in the custom role that Databricks grants to the service account

Google permission

Purpose

Required for phase

compute.globalOperations.get

Visibility into GCE operations during GCE outages.

Operational

compute.instanceGroups.get

GCE troubleshooting.

Operational

compute.instanceGroups.list

GCE troubleshooting.

Operational

compute.instances.get

GCE troubleshooting.

Operational

compute.instances.list

GCE troubleshooting.

Operational

compute.networks.access

Manage network resources.

Operational

compute.networks.create

Manage network resources.

Launch

compute.networks.delete

Manage network resources.

Delete

compute.networks.get

Manage network resources.

Launch, Operational

compute.networks.getEffectiveFirewalls

Manage network resources.

Operational

compute.networks.update

Manage network resources.

Repair

compute.networks.updatePolicy

Manage network resources.

Repair

compute.networks.use

Manage network resources.

Operational

compute.networks.useExternalIp

Manage network resources.

Launch

compute.regionOperations.get

Visibility into GCE operations during GCE outages.

Operational

compute.routers.create

Manage network resources.

Launch

compute.routers.delete

Manage network resources.

Delete

compute.routers.get

Manage network resources.

Operational

compute.routers.update

Manage network resources.

Repair

compute.routers.use

Manage network resources.

Operational

compute.subnetworks.create

Manage network resources.

Launch

compute.subnetworks.delete

Manage network resources.

Delete

compute.subnetworks.expandIpCidrRange

Manage network resources.

Repair

compute.subnetworks.get

Manage network resources.

Operational

compute.subnetworks.getIamPolicy

Manage network resources.

Repair

compute.subnetworks.setIamPolicy

Manage network resources.

Launch

compute.subnetworks.setPrivateIpGoogleAccess

Manage network resources.

Launch

compute.subnetworks.update

Manage network resources.

Repair

compute.subnetworks.use

Manage network resources.

Operational

compute.subnetworks.useExternalIp

Manage network resources.

Launch

container.clusterRoleBindings.create

Manage GKE cluster.

Operational

container.clusterRoleBindings.get

Manage GKE cluster.

Operational

container.clusterRoles.bind

Manage GKE cluster.

Operational

container.clusterRoles.create

Manage GKE cluster.

Operational

container.clusterRoles.get

Manage GKE cluster.

Operational

container.clusters.create

Manage GKE cluster.

Operational

container.clusters.delete

Manage GKE cluster.

Operational

container.clusters.get

Manage GKE cluster.

Operational

container.clusters.getCredentials

Manage GKE cluster.

Operational

container.clusters.list

Manage GKE cluster.

Operational

container.clusters.update

Manage GKE cluster.

Operational

container.configMaps.create

Manage GKE cluster.

Operational

container.configMaps.get

Manage GKE cluster.

Operational

container.configMaps.update

Manage GKE cluster.

Operational

container.customResourceDefinitions.create

Manage GKE cluster.

Operational

container.customResourceDefinitions.get

Manage GKE cluster.

Operational

container.customResourceDefinitions.update

Manage GKE cluster.

Operational

container.daemonSets.create

Manage GKE cluster.

Operational

container.daemonSets.get

Manage GKE cluster.

Operational

container.daemonSets.update

Manage GKE cluster.

Operational

container.deployments.create

Manage GKE cluster.

Operational

container.deployments.get

Manage GKE cluster.

Operational

container.deployments.update

Manage GKE cluster.

Operational

container.jobs.create

Manage GKE cluster.

Operational

container.jobs.get

Manage GKE cluster.

Operational

container.jobs.update

Manage GKE cluster.

Operational

container.namespaces.create

Manage GKE cluster.

Operational

container.namespaces.get

Manage GKE cluster.

Operational

container.namespaces.list

Manage GKE cluster.

Operational

container.operations.get

Manage GKE cluster.

Operational

container.pods.get

Manage GKE cluster.

Operational

container.pods.getLogs

Manage GKE cluster.

Operational

container.pods.list

Manage GKE cluster.

Operational

container.roleBindings.create

Manage GKE cluster.

Operational

container.roleBindings.get

Manage GKE cluster.

Operational

container.roles.bind

Manage GKE cluster.

Operational

container.roles.create

Manage GKE cluster.

Operational

container.roles.get

Manage GKE cluster.

Operational

container.secrets.create

Manage GKE cluster.

Operational

container.secrets.get

Manage GKE cluster.

Operational

container.secrets.update

Manage GKE cluster.

Operational

container.serviceAccounts.create

Manage GKE cluster.

Operational

container.serviceAccounts.get

Manage GKE cluster.

Operational

container.services.create

Manage GKE cluster.

Operational

container.services.get

Manage GKE cluster.

Operational

container.thirdPartyObjects.create

Manage GKE cluster.

Operational

container.thirdPartyObjects.delete

Manage GKE cluster.

Operational

container.thirdPartyObjects.get

Manage GKE cluster.

Operational

container.thirdPartyObjects.list

Manage GKE cluster.

Operational

container.thirdPartyObjects.update

Manage GKE cluster.

Operational

iam.serviceAccounts.getIamPolicy

Inspect Google service accounts or bind them to a cluster.

Operational

iam.serviceAccounts.setIamPolicy

Inspect Google service accounts or bind them to a cluster.

Operational

resourcemanager.projects.get

Converting customer project ID to a project number.

Launch, Operational

resourcemanager.projects.getIamPolicy

Check if the project IAM policy is correctly configured.

Launch

storage.buckets.create

Implement DBFS, internal artifacts, and logging.

Launch

storage.buckets.delete

Implement DBFS, internal artifacts, and logging.

Delete

storage.buckets.get

Implement DBFS, internal artifacts, and logging.

Operational

storage.buckets.getIamPolicy

Implement DBFS, internal artifacts, and logging.

Operational

storage.buckets.list

Implement DBFS, internal artifacts, and logging.

Operational

storage.buckets.setIamPolicy

Implement DBFS, internal artifacts, and logging.

Repair

storage.buckets.update

Implement DBFS, internal artifacts, and logging.

Operational

storage.hmacKeys.create

Implement DBFS, internal artifacts, and logging.

Launch

storage.hmacKeys.delete

Implement DBFS, internal artifacts, and logging.

Delete

storage.hmacKeys.get

Implement DBFS, internal artifacts, and logging.

Operational

storage.hmacKeys.list

Implement DBFS, internal artifacts, and logging.

Operational

storage.hmacKeys.update

Implement DBFS, internal artifacts, and logging.

Operational

storage.objects.create

Implement DBFS, internal artifacts, and logging.

Launch, Operational

storage.objects.delete

Implement DBFS, internal artifacts, and logging.

Operational

storage.objects.get

Implement DBFS, internal artifacts, and logging.

Operational

storage.objects.getIamPolicy

Implement DBFS, internal artifacts, and logging.

Operational

storage.objects.list

Implement DBFS, internal artifacts, and logging.

Operational

storage.objects.setIamPolicy

Implement DBFS, internal artifacts, and logging.

Launch

storage.objects.update

Implement DBFS, internal artifacts, and logging.

Operational