Required permissions

This page explains the permissions required for creating and managing a Databricks workspace on Google Cloud.

On Google Cloud, each workspace runs inside a customer-owned workspace project. Databricks creates and owns a per-workspace service account with the minimal permissions needed to manage the workspace. Databricks uses the credentials of the workspace creator to grant permissions to the service account on the workspace project. A Databricks account admin must have the required permissions on the workspace project to successfully create a workspace.

The Legacy permissions section of this article contains the list of permissions previously required by Databricks to launch compute on GKE. For more information about the migration from GKE to GCE, see Update permissions for GCE compute deployment.

Required permissions for the workspace creator

Databricks uses the workspace creator’s credentials to validate settings, grant permissions, enable required services, and provision the workspace.

The following is the minimal set of permissions required on the workspace and network projects. Databricks recommends that the workspace creator have the roles/owner role on both the workspace and VPC projects.

Note

Workspace creation typically takes less than a minute to complete. Databricks won’t retain or use these permissions after the workspace creation.

Google permission

Purpose

Required for workspace project

Required for VPC project

Use case

iam.roles.create

Create the custom role.

Create and manage a custom role for granting permissions to the workspace’s service account.

iam.roles.delete

Delete the custom role.

Create and manage a custom role for granting permissions to the workspace’s service account.

iam.roles.get

Get the custom role.

Create and manage a custom role for granting permissions to the workspace’s service account.

iam.roles.update

Update the custom role.

Create and manage a custom role for granting permissions to the workspace’s service account.

iam.serviceAccounts.create

Create the Databricks-compute service account.

Create the Databricks-compute service account used by all clusters in the workspace that do not have a custom service account attached. This service account has minimal permissions, limited to logging and metrics.

iam.serviceAccounts.get

Get the Databricks-compute service account.

Used to check if the required Databricks-compute service account used by all clusters in the workspace exists.

iam.serviceAccounts.getIamPolicy

Get IAM policy.

Grant workspace service account the Service Account User role on Google Compute Engine (GCE) service account for launching GKE clusters.

iam.serviceAccounts.setIamPolicy

Set IAM policy.

Grant workspace service account the Service Account User role on Google Compute Engine (GCE) service account for launching GKE clusters.

resourcemanager.projects.get

Get a project number from its project ID.

Get basic information about the workspace project.

resourcemanager.projects.getIamPolicy

Get IAM policy.

Get basic information about the workspace project.

resourcemanager.projects.setIamPolicy

Set IAM policy.

Get basic information about the workspace project.

serviceusage.services.get

Validate whether the customer project has enabled the required Google Cloud APIs.

Enable Google Cloud services needed for Databricks workloads.

serviceusage.services.list

Validate whether the customer project has enabled the required Google Cloud APIs.

Enable Google Cloud services needed for Databricks workloads.

serviceusage.services.enable

Enable the required Google Cloud APIs on the project if they are not already enabled.

Enable Google Cloud services needed for Databricks workloads.

compute.networks.get

Validate the existence of a VPC network.

Validate network resources for the customer-provided VPC network, which might belong to a project other than the workspace project.

compute.networks.updatePolicy

Update the firewall policy on VPC network.

Updates the firewall policy on the customer-provided VPC network, which might belong to a project other than the workspace project.

compute.projects.get

Get the host project of a VPC network.

Validate network resources for the customer-provided VPC network, which might belong to a project other than the workspace project.

compute.subnetworks.get

Validate subnets of a VPC network.

Validate network resources for the customer-provided VPC network, which might belong to a project other than the workspace project. Required if you use a customer-managed VPC.

compute.subnetworks.getIamPolicy

Get the IAM policy on the VPC subnet.

Validate the grants on the subnetwork for the customer-provided VPC network, which might belong to a project other than the workspace project. Required if you use a customer-managed VPC.

compute.subnetworks.setIamPolicy

Set the IAM policy on the VPC subnet.

Sets the IAM policy on the subnetwork for the customer-provided VPC network, which might belong to a project other than the workspace project. Required if you use a customer-managed VPC.

compute.forwardingRules.get

List forwarding rules for Private Service Connect.

Required if you enable Private Service Connect.

compute.forwardingRules.list

Get forwarding rules for Private Service Connect.

Required if you enable Private Service Connect.

compute.firewalls.get

Get a firewall rule.

Gets the required firewall rule in the customer-provided VPC network to check if it exists.

compute.firewalls.create

Create a firewall rule.

Creates a firewall rule in the customer-provided VPC network, which might belong to a project other than the workspace project.

Required permissions for the workspace service account

The workspace service account requires permissions in the following IAM roles on the workspace project to operate and manage a workspace:

  • Databricks Project Role v2: This role is required to operate and manage project-level resources such as instances, disks, cloud operations, and service accounts managed by Databricks. It is granted at the project level to the workspace service account.

  • Databricks Resource Role v2: This is required to operate and manage Google Compute Engine (GCE) instances, storage disks, and other workspace-level resources managed by Databricks. This role is granted at the project level to the workspace service account. The workspace-level scoping is enforced using an IAM condition on the workspace ID. The following example uses 1234567890 in place of an actual workspace ID:

    resource.name.extract("{x}databricks”) != "" &&
resource.name.extract("{x}1234567890) != ""

  • Databricks Network Role v2: This is required to use subnetwork resources under a customer-managed VPC network. It is granted to the workspace service account on the specific subnet.

Permissions for Databricks Project Role v2

Permission

Purpose

Use case

compute.disks.list

List disks

Manage Google Compute Engine (GCE) resources to run workloads

compute.globalOperations.list

List cloud operations

Manage Google Compute Engine (GCE) resources to run workloads

compute.regionOperations.list

List regional cloud operations

Manage Google Compute Engine (GCE) resources to run workloads

compute.zoneOperations.list

List zonal cloud operations

Manage Google Compute Engine (GCE) resources to run workloads

compute.instances.list

List GCE instances

Manage Google Compute Engine (GCE) resources to run workloads

compute.zones.list

List available zones

Manage Google Compute Engine (GCE) resources to run workloads

compute.zones.get

Get zone description

Manage Google Compute Engine (GCE) resources to run workloads

compute.regions.get

Get region description

Manage Google Compute Engine (GCE) resources to run workloads

resourcemanager.projects.get

Get quota details

Manage Google Compute Engine (GCE) resources to run workloads

serviceusage.quotas.get

Get quota details

Manage Google Compute Engine (GCE) resources to run workloads

storage.buckets.list

List Databricks-managed GCS buckets

Manage Google Compute Engine (GCE) resources to run workloads

compute.instances.recommendLocations

Get on-demand capacity recommendations

Get zone/machine type recommendations for on-demand instances based on available capacity in the region

compute.spotAssistants.get

Get spot capacity recommendations

Get zone/machine type recommendations for spot instances based on available capacity in the region

compute.reservations.get

Get details of a GCE reservation

Get details of a GCE reservation for use in zone/machine type selection

compute.reservations.list

List all GCE reservations

List details of all GCE reservations for use in zone/machine type selection

Permissions for Databricks Resource Role v2

Permission

Purpose

Use case

compute.disks.create

Create Databricks-managed disks

Manage Google Compute Engine (GCE) resources to run workloads

compute.disks.delete

Delete Databricks-managed disks

Manage Google Compute Engine (GCE) resources to run workloads

compute.disks.get

Get Databricks-managed disk info

Manage Google Compute Engine (GCE) resources to run workloads

compute.disks.resize

Resize Databricks-managed disks

Manage Google Compute Engine (GCE) resources to run workloads

compute.disks.setLabels

Set Labels on Databricks-managed disks

Manage Google Compute Engine (GCE) resources to run workloads

compute.disks.update

Update Databricks-managed disks

Manage Google Compute Engine (GCE) resources to run workloads

compute.disks.use

Attach Databricks-managed disks to a VM

Manage Google Compute Engine (GCE) resources to run workloads

compute.disks.useReadOnly

Attach Databricks-managed disks to a VM in read-only mode

Manage Google Compute Engine (GCE) resources to run workloads

compute.instances.create

Create Databricks-managed instances

Manage Google Compute Engine (GCE) resources to run workloads

compute.instances.delete

Delete Databricks-managed instances

Manage Google Compute Engine (GCE) resources to run workloads

compute.instances.attachDisk

Attach a disk to a Databricks-managed instance

Manage Google Compute Engine (GCE) resources to run workloads

compute.instances.detachDisk

Detach a disk from a Databricks-managed instance

Manage Google Compute Engine (GCE) resources to run workloads

compute.instances.get

Get instance details

Manage Google Compute Engine (GCE) resources to run workloads

compute.instances.getGuestAttributes

Get instance guest attributes

Manage Google Compute Engine (GCE) resources to run workloads

compute.instances.getSerialPortOutput

Get instance serial port logs

Debug failed Google Compute Engine (GCE) resources

compute.instances.setLabels

Set labels on an instance

Manage Google Compute Engine (GCE) resources to run workloads

compute.instances.setTags

Set tags on an instance

Manage Google Compute Engine (GCE) resources to run workloads

compute.instances.update

Update an instance

Manage Google Compute Engine (GCE) resources to run workloads

compute.instances.setMetadata

Set metadata on an instance

Manage Google Compute Engine (GCE) resources to run workloads

compute.instances.setServiceAccount

Set service account on an instance

Manage Google Compute Engine (GCE) resources to run workloads

storage.multipartUploads.abort

Cancel a multipart upload to Databricks-managed GCS bucket

Manage Google Cloud Storage (GCS) upload sessions when uploading large files

storage.multipartUploads.create

Create a multipart upload to Databricks-managed GCS bucket

Manage Google Cloud Storage (GCS) upload sessions when uploading large files

storage.multipartUploads.list

List multipart uploads to Databricks-managed GCS bucket

Manage Google Cloud Storage (GCS) upload sessions when uploading large files

storage.multipartUploads.listParts

List parts uploaded for a specific multipart upload to a Databricks-managed GCS bucket

Manage Google Cloud Storage (GCS) upload sessions when uploading large files

storage.buckets.create

Create a Databricks-managed GCS bucket

Manage Google Compute Engine (GCE) resources to run workloads

storage.buckets.delete

Delete a Databricks-managed GCS bucket

Manage Google Compute Engine (GCE) resources to run workloads

storage.buckets.get

Get details of a Databricks-managed GCS bucket

Manage Google Compute Engine (GCE) resources to run workloads

storage.buckets.getIamPolicy

Get IAM policy of a Databricks-managed GCS bucket

Manage Google Compute Engine (GCE) resources to run workloads

storage.buckets.setIamPolicy

Set IAM policy of a Databricks-managed GCS bucket

Manage Google Compute Engine (GCE) resources to run workloads

storage.buckets.update

Update a Databricks-managed GCS bucket

Manage Google Compute Engine (GCE) resources to run workloads

storage.objects.create

Create a Databricks-managed GCS bucket

Manage Google Compute Engine (GCE) resources to run workloads

storage.objects.delete

Delete a Databricks-managed GCS bucket

Manage Google Compute Engine (GCE) resources to run workloads

storage.objects.get

Get details for a Databricks-managed GCS bucket

Manage Google Compute Engine (GCE) resources to run workloads

storage.objects.list

List objects in a Databricks-managed GCS bucket

Manage Google Compute Engine (GCE) resources to run workloads

storage.objects.update

Update objects in a Databricks-managed GCS bucket

Manage Google Compute Engine (GCE) resources to run workloads

Additional permissions for workspaces on Databricks-managed VPC network

The following permissions are also required for workspaces that use Databricks-managed VPC network:

Permission

Purpose

Use case

compute.networks.access

Launch VMs in the Databricks-managed VPC

Manage Google Compute Engine (GCE) resources to run workloads

compute.networks.get

Get details of the Databricks-managed VPC

Manage Google Compute Engine (GCE) resources to run workloads

compute.networks.use

Launch VMs in the Databricks-managed VPC

Manage Google Compute Engine (GCE) resources to run workloads

compute.networks.useExternalIp

Launch VMs in the Databricks-managed VPC

Manage Google Compute Engine (GCE) resources to run workloads

compute.routers.get

Get details of the Databricks-managed router

Manage Google Compute Engine (GCE) resources to run workloads

compute.subnetworks.get

Get details of the Databricks-managed subnet

Manage Google Compute Engine (GCE) resources to run workloads

compute.subnetworks.use

Launch VMs in the Databricks-managed VPC

Manage Google Compute Engine (GCE) resources to run workloads

compute.routers.use

Launch VMs in the Databricks-managed VPC

Manage Google Compute Engine (GCE) resources to run workloads

compute.subnetworks.getIamPolicy

Get IAM policy for Databricks-managed subnet

Manage Google Compute Engine (GCE) resources to run workloads

compute.subnetworks.useExternalIp

Launch VMs in the Databricks-managed VPC

Manage Google Compute Engine (GCE) resources to run workloads

compute.networks.create

Create the Databricks-managed VPC

Manage Google Compute Engine (GCE) resources to run workloads

compute.networks.delete

Delete the Databricks-managed VPC

Manage Google Compute Engine (GCE) resources to run workloads

compute.networks.update

Update the Databricks-managed VPC

Manage Google Compute Engine (GCE) resources to run workloads

compute.networks.updatePolicy

Update the Databricks-managed VPC

Manage Google Compute Engine (GCE) resources to run workloads

compute.subnetworks.create

Create the Databricks-managed subnet

Manage Google Compute Engine (GCE) resources to run workloads

compute.subnetworks.delete

Delete the Databricks-managed subnet

Manage Google Compute Engine (GCE) resources to run workloads

compute.subnetworks.expandIpCidrRange

Expand CIDR range on the Databricks-managed subnet

Manage Google Compute Engine (GCE) resources to run workloads

compute.subnetworks.setIamPolicy

Set IAM policy on the Databricks-managed subnet

Manage Google Compute Engine (GCE) resources to run workloads

compute.subnetworks.setPrivateIpGoogleAccess

Configure Private Google API Access on the Databricks-managed subnet

Manage Google Compute Engine (GCE) resources to run workloads

compute.subnetworks.update

Update the Databricks-managed subnet

Manage Google Compute Engine (GCE) resources to run workloads

compute.routers.create

Create the Databricks-managed router

Manage Google Compute Engine (GCE) resources to run workloads

compute.routers.delete

Delete the Databricks-managed router

Manage Google Compute Engine (GCE) resources to run workloads

compute.routers.update

Update the Databricks-managed router

Manage Google Compute Engine (GCE) resources to run workloads

compute.firewalls.create

Create the ingress firewall rule to allow Databricks VMs to communicate

Manage Google Compute Engine (GCE) resources to run workloads

compute.firewalls.delete

Delete the ingress firewall rule on workspace teardown in order to clean up the VPC

Manage Google Compute Engine (GCE) resources to run workloads

compute.firewalls.get

Get the ingress firewall rule details

Manage Google Compute Engine (GCE) resources to run workloads

compute.firewalls.update

Update ingress firewall rule details

Manage Google Compute Engine (GCE) resources to run workloads

Permissions for Databricks Network Role v2

Permission

Purpose

Use case

compute.subnetworks.use

Use the subnet in the customer managed network

Manage Google Compute Engine (GCE) resources to run workloads

compute.subnetworks.get

Get the info of the subnet in the customer-managed network

Manage Google Compute Engine (GCE) resources to run workloads

Legacy permissions

The following permissions are legacy and were required when Databricks launched GKE clusters. You should only reference the list if your account has no updated permissions for GCE compute deployment. See Update permissions for GCE compute deployment.

Required permissions for the workspace creator

Google permission

Purpose

Use case

iam.roles.create

Create the custom role.

Create and manage a custom role for granting permissions to the workspace’s service account.

iam.roles.delete

Delete the custom role.

Create and manage a custom role for granting permissions to the workspace’s service account.

iam.roles.get

Get the custom role.

Create and manage a custom role for granting permissions to the workspace’s service account.

iam.roles.update

Update the custom role.

Create and manage a custom role for granting permissions to the workspace’s service account.

iam.serviceAccounts.getIamPolicy

Get IAM policy.

Grant workspace service account the Service Account User role on Google Compute Engine (GCE) service account for launching GKE clusters.

iam.serviceAccounts.setIamPolicy

Set IAM policy.

Grant workspace service account the Service Account User role on Google Compute Engine (GCE) service account for launching GKE clusters.

resourcemanager.projects.get

Get a project number from its project ID.

Get basic information about the workspace project.

resourcemanager.projects.getIamPolicy

Get IAM policy.

Get basic information about the workspace project.

resourcemanager.projects.setIamPolicy

Set IAM policy.

Get basic information about the workspace project.

serviceusage.services.get

Validate whether the customer project has enabled the required Google Cloud APIs.

Enable Google Cloud services needed for Databricks workloads.

serviceusage.services.list

Validate whether the customer project has enabled the required Google Cloud APIs.

Enable Google Cloud services needed for Databricks workloads.

serviceusage.services.enable

Enable the required Google Cloud APIs on the project if they are not already enabled.

Enable Google Cloud services needed for Databricks workloads.

compute.networks.get

Validate the existence of a VPC network.

Validate network resources for the customer-provided VPC network, which might belong to a project other than the workspace project.

compute.projects.get

Get the host project of a VPC network.

Validate network resources for the customer-provided VPC network, which might belong to a project other than the workspace project.

compute.subnetworks.get

Validate subnets of a VPC network.

Validate network resources for the customer-provided VPC network, which might belong to a project other than the workspace project.

compute.forwardingRules.get

List forwarding rules for Private Service Connect.

Required if you enable Private Service Connect.

compute.forwardingRules.list

Get forwarding rules for Private Service Connect.

Required if you enable Private Service Connect.

cloudkms.cryptoKeys.getIamPolicy

Get the access control policy for a Cloud KMS resource.

Required on the Cloud KMS key if you enable customer-managed keys.

cloudkms.cryptoKeys.setIamPolicy

Set the access control policy on a Cloud KMS resource.

Required on the Cloud KMS key if you enable customer-managed keys.

Required permissions for the workspace service account

The workspace service account requires permissions in the following IAM roles on the workspace project to operate and manage a workspace:

  • GKE Admin Role: This is required to operate and manage customer workloads running on GKE.

  • GCE Storage Admin Role: This is required to operate and manage Google Compute Engine (GCE) persistent storages associated with GKE nodes.

  • Databricks Workspace Role: A per-workspace custom role for granting additional permissions needed to manage a workspace.

Permission

Purpose

Use case

compute.globalOperations.get

Get operation data for visibility into GCE operations during GCE outages.

Manage Google Compute Engine (GCE) resources to run workloads.

compute.instanceGroups.get

Get instance groups for GCE troubleshooting. Manage Google Compute Engine (GCE) resources to run workloads.

Manage Google Compute Engine (GCE) resources to run workloads.

compute.instanceGroups.list

List instance groups for GCE troubleshooting. Manage Google Compute Engine (GCE) resources to run workloads.

Manage Google Compute Engine (GCE) resources to run workloads.

compute.instances.get

Get compute instances. Manage Google Compute Engine (GCE) resources to run workloads.

Manage Google Compute Engine (GCE) resources to run workloads.

compute.instances.list

List compute instances for GCE troubleshooting. Manage Google Compute Engine (GCE) resources to run workloads.

Manage Google Compute Engine (GCE) resources to run workloads.

compute.instances.setLabels

Set compute instance labels. Manage Google Compute Engine (GCE) resources to run workloads.

Manage Google Compute Engine (GCE) resources to run workloads.

compute.disks.get

Get disks. Manage Google Compute Engine (GCE) resources to run workloads.

Manage Google Compute Engine (GCE) resources to run workloads.

compute.disks.setLabels

Set disk labels. Manage Google Compute Engine (GCE) resources to run workloads.

Manage Google Compute Engine (GCE) resources to run workloads.

compute.networks.access

Manage network resources.

Manage Google Compute Engine (GCE) resources to run workloads.

compute.networks.create

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.

Manage Google Compute Engine (GCE) resources to run workloads.

compute.networks.delete

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.

Manage Google Compute Engine (GCE) resources to run workloads.

compute.networks.get

Manage network resources.

Manage Google Compute Engine (GCE) resources to run workloads.

compute.networks.getEffectiveFirewalls

Manage network resources.

Manage Google Compute Engine (GCE) resources to run workloads.

compute.networks.update

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.

Manage Google Compute Engine (GCE) resources to run workloads.

compute.networks.updatePolicy

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.

Manage Google Compute Engine (GCE) resources to run workloads.

compute.networks.use

Manage network resources.

Manage Google Compute Engine (GCE) resources to run workloads.

compute.networks.useExternalIp

Manage network resources.

Manage Google Compute Engine (GCE) resources to run workloads.

compute.regionOperations.get

Get region operations for visibility into Google Compute Engine (GCE) operations during GCE outages.

Manage Google Compute Engine (GCE) resources to run workloads.

compute.routers.create

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.

Manage Google Compute Engine (GCE) resources to run workloads.

compute.routers.delete

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.

Manage Google Compute Engine (GCE) resources to run workloads.

compute.routers.get

Manage network resources.

Manage Google Compute Engine (GCE) resources to run workloads.

compute.routers.update

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.

Manage Google Compute Engine (GCE) resources to run workloads.

compute.routers.use

Manage network resources.

Manage Google Compute Engine (GCE) resources to run workloads.

compute.subnetworks.create

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.

Manage Google Compute Engine (GCE) resources to run workloads.

compute.subnetworks.delete

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.

Manage Google Compute Engine (GCE) resources to run workloads.

compute.subnetworks.expandIpCidrRange

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.

Manage Google Compute Engine (GCE) resources to run workloads.

compute.subnetworks.get

Manage network resources.

Manage Google Compute Engine (GCE) resources to run workloads.

compute.subnetworks.getIamPolicy

Manage network resources.

Manage Google Compute Engine (GCE) resources to run workloads.

compute.subnetworks.setIamPolicy

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.

Manage Google Compute Engine (GCE) resources to run workloads.

compute.subnetworks.setPrivateIpGoogleAccess

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.

Manage Google Compute Engine (GCE) resources to run workloads.

compute.subnetworks.update

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.

Manage Google Compute Engine (GCE) resources to run workloads.

compute.subnetworks.use

Manage network resources.

Manage Google Compute Engine (GCE) resources to run workloads.

compute.subnetworks.useExternalIp

Manage network resources.

Manage Google Compute Engine (GCE) resources to run workloads.

container.clusterRoleBindings.create

Create cluster role bindings.

Manage GKE clusters to run Databricks workloads.

container.clusterRoleBindings.get

Get cluster role bindings.

Manage GKE clusters to run Databricks workloads.

container.clusterRoles.bind

Bind cluster role bindings.

Manage GKE clusters to run Databricks workloads.

container.clusterRoles.create

Create cluster roles.

Manage GKE clusters to run Databricks workloads.

container.clusterRoles.get

Get cluster roles.

Manage GKE clusters to run Databricks workloads.

container.clusters.create

Create cluster roles.

Manage GKE clusters to run Databricks workloads.

container.clusters.delete

Delete cluster roles.

Manage GKE clusters to run Databricks workloads.

container.clusters.get

Get clusters.

Manage GKE clusters to run Databricks workloads.

container.clusters.getCredentials

Get cluster credentials.

Manage GKE clusters to run Databricks workloads.

container.clusters.list

List clusters.

Manage GKE clusters to run Databricks workloads.

container.clusters.update

Update clusters.

Manage GKE clusters to run Databricks workloads.

container.configMaps.create

Create configMaps.

Manage GKE clusters to run Databricks workloads.

container.configMaps.get

Get configMaps.

Manage GKE clusters to run Databricks workloads.

container.configMaps.update

Update configMaps.

Manage GKE clusters to run Databricks workloads.

container.customResourceDefinitions.create

Create custom resource definitions.

Manage GKE clusters to run Databricks workloads.

container.customResourceDefinitions.get

Get custom resource definitions.

Manage GKE clusters to run Databricks workloads.

container.customResourceDefinitions.update

Update custom resource definitions.

Manage GKE clusters to run Databricks workloads.

container.daemonSets.create

Create daemon sets.

Manage GKE clusters to run Databricks workloads.

container.daemonSets.get

Get daemon sets.

Manage GKE clusters to run Databricks workloads.

container.daemonSets.update

Update daemon sets.

Manage GKE clusters to run Databricks workloads.

container.deployments.create

Create deployments.

Manage GKE clusters to run Databricks workloads.

container.deployments.get

Get deployments.

Manage GKE clusters to run Databricks workloads.

container.deployments.update

Update deployments.

Manage GKE clusters to run Databricks workloads.

container.jobs.create

Create job.

Manage GKE clusters to run Databricks workloads.

container.jobs.get

Get job.

Manage GKE clusters to run Databricks workloads.

container.jobs.update

Update job.

Manage GKE clusters to run Databricks workloads.

container.namespaces.create

Create namespace.

Manage GKE clusters to run Databricks workloads.

container.namespaces.get

Get namespace.

Manage GKE clusters to run Databricks workloads.

container.namespaces.list

List namespaces.

Manage GKE clusters to run Databricks workloads.

container.operations.get

Get operations.

Manage GKE clusters to run Databricks workloads.

container.pods.get

Get pods.

Manage GKE clusters to run Databricks workloads.

container.pods.getLogs

Get pod logs.

Manage GKE clusters to run Databricks workloads.

container.pods.list

List pods.

Manage GKE clusters to run Databricks workloads.

container.roleBindings.create

Create role bindings.

Manage GKE clusters to run Databricks workloads.

container.roleBindings.get

Get role bindings.

Manage GKE clusters to run Databricks workloads.

container.roles.bind

Bind roles.

Manage GKE clusters to run Databricks workloads.

container.roles.create

Create roles.

Manage GKE clusters to run Databricks workloads.

container.roles.get

Get roles.

Manage GKE clusters to run Databricks workloads.

container.secrets.create

Create secret.

Manage GKE clusters to run Databricks workloads.

container.secrets.get

Get a secret.

Manage GKE clusters to run Databricks workloads.

container.secrets.update

Update a secret.

Manage GKE clusters to run Databricks workloads.

container.serviceAccounts.create

Create a service account.

Manage GKE clusters to run Databricks workloads.

container.serviceAccounts.get

Get a service account.

Manage GKE clusters to run Databricks workloads.

container.services.create

Create a service.

Manage GKE clusters to run Databricks workloads.

container.services.get

Get a service.

Manage GKE clusters to run Databricks workloads.

container.thirdPartyObjects.create

Create a third-party object.

Manage GKE clusters to run Databricks workloads.

container.thirdPartyObjects.delete

Delete a third-party object.

Manage GKE clusters to run Databricks workloads.

container.thirdPartyObjects.get

Get a third-party object.

Manage GKE clusters to run Databricks workloads.

container.thirdPartyObjects.list

List third-party objects.

Manage GKE clusters to run Databricks workloads.

container.thirdPartyObjects.update

Update a third-party object.

Manage GKE clusters to run Databricks workloads.

iam.serviceAccounts.getIamPolicy

Inspect service accounts or bind them to a cluster.

Configure GKE Workload Identity for a cluster’s service account to access your data.

iam.serviceAccounts.setIamPolicy

Inspect service accounts or bind them to a cluster.

Configure GKE Workload Identity for a cluster’s service account to access your data.

resourcemanager.projects.get

Convert customer project ID to a project number.

Validate the project status, such as whether the project is live and whether the workspace service account has enough permissions.

resourcemanager.projects.getIamPolicy

Check if the project IAM policy is correctly configured.

Validate the project status, such as whether the project is live and whether the workspace service account has enough permissions.

storage.buckets.create

Create a bucket.

This is required to create and manage GCS buckets for DBFS.

storage.buckets.delete

Delete a bucket.

This is required to create and manage GCS buckets for DBFS.

storage.buckets.get

Get a bucket.

This is required to create and manage GCS buckets for DBFS.

storage.buckets.getIamPolicy

Get storage IAM policy.

This is required to create and manage GCS buckets for DBFS.

storage.buckets.list

List buckets.

This is required to create and manage GCS buckets for DBFS.

storage.buckets.setIamPolicy

Set storage IAM policy.

This is required to create and manage GCS buckets for DBFS.

storage.buckets.update

Update storage IAM policy.

This is required to create and manage GCS buckets for DBFS.

storage.multipartUploads.abort

Abort a multipart upload.

Read and write DBFS objects.

storage.multipartUploads.create

Create a multipart upload.

Read and write DBFS objects.

storage.multipartUploads.list

List multipart uploads.

Read and write DBFS objects.

storage.multipartUploads.listParts

List parts of a multipart upload.

Read and write DBFS objects.

storage.objects.create

Create a storage object.

Read and write DBFS objects.

storage.objects.delete

Delete storage object.

Read and write DBFS objects.

storage.objects.get

Get a storage object.

Read and write DBFS objects.

storage.objects.list

List storage objects.

Read and write DBFS objects.

storage.objects.update

Update a storage object.

Read and write DBFS objects.