Required permissions
This page explains the permissions required for creating and managing a Databricks workspace on Google Cloud.
On Google Cloud, each workspace runs inside a customer-owned workspace project. Databricks creates and owns a per-workspace service account with the minimal permissions needed to manage the workspace. Databricks uses the credentials of the workspace creator to grant permissions to the service account on the workspace project. A Databricks account admin must have the required permissions on the workspace project to successfully create a workspace.
Required permissions for the workspace creator
Databricks uses the credentials of the workspace creator to validate settings, grant permissions, enable required services, and provision the workspace. During this process, Databricks requires the following permissions on the workspace project and the network project.
Note
Workspace creation typically takes less than a minute to complete. Databricks won’t retain or use these permissions after the workspace creation.
Google permission |
Purpose |
Use case |
---|---|---|
|
Create the custom role. |
Create and manage a custom role for granting permissions to the workspace’s service account. |
|
Delete the custom role. |
Create and manage a custom role for granting permissions to the workspace’s service account. |
|
Get the custom role. |
Create and manage a custom role for granting permissions to the workspace’s service account. |
|
Update the custom role. |
Create and manage a custom role for granting permissions to the workspace’s service account. |
|
Get IAM policy. |
Grant workspace service account the |
|
Set IAM policy. |
Grant workspace service account the |
|
Get a project number from its project ID. |
Get basic information about the workspace project. |
|
Get IAM policy. |
Get basic information about the workspace project. |
|
Set IAM policy. |
Get basic information about the workspace project. |
|
Validate whether the customer project has enabled the required Google Cloud APIs. |
Enable Google Cloud services needed for Databricks workloads. |
|
Validate whether the customer project has enabled the required Google Cloud APIs. |
Enable Google Cloud services needed for Databricks workloads. |
|
Enable the required Google Cloud APIs on the project if they are not already enabled. |
Enable Google Cloud services needed for Databricks workloads. |
|
Validate the existence of a VPC network. |
Validate network resources for the customer-provided VPC network, which might belong to a project other than the workspace project. |
|
Get the host project of a VPC network. |
Validate network resources for the customer-provided VPC network, which might belong to a project other than the workspace project. |
|
Validate subnets of a VPC network. |
Validate network resources for the customer-provided VPC network, which might belong to a project other than the workspace project. |
|
List forwarding rules for Private Service Connect. |
Required if you enable Private Service Connect. |
|
Get forwarding rules for Private Service Connect. |
Required if you enable Private Service Connect. |
|
Get the access control policy for a Cloud KMS resource. |
Required on the Cloud KMS key if you enable customer-managed keys. |
|
Set the access control policy on a Cloud KMS resource. |
Required on the Cloud KMS key if you enable customer-managed keys. |
Required permissions for the workspace service account
The workspace service account requires permissions in the following IAM roles on the workspace project in order to operate and manage a workspace:
GKE Admin Role: This is required to operate and manage customer workloads running on GKE.
GCE Storage Admin Role: This is required to operate and manage Google Compute Engine (GCE) persistent storages associated with GKE nodes.
Databricks Workspace Role: A per-workspace custom role for granting additional permissions needed to manage a workspace.
Permission |
Purpose |
Use case |
---|---|---|
|
Get operation data for visibility into GCE operations during GCE outages. |
Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
|
Get instance groups for GCE troubleshooting. Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
|
List instance groups for GCE troubleshooting. Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
|
Get compute instances. Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
|
List compute instances for GCE troubleshooting. Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
|
Set compute instance labels. Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
|
Get disks. Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
|
Set disk labels. Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
|
Manage network resources. |
Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
|
Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account. |
Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
|
Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account. |
Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
|
Manage network resources. |
Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
|
Manage network resources. |
Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
|
Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account. |
Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
|
Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account. |
Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
|
Manage network resources. |
Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
|
Manage network resources. |
Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
|
Get region operations for visibility into Google Compute Engine (GCE) operations during GCE outages. |
Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
|
Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account. |
Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
|
Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account. |
Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
|
Manage network resources. |
Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
|
Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account. |
Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
|
Manage network resources. |
Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
|
Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account. |
Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
|
Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account. |
Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
|
Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account. |
Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
|
Manage network resources. |
Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
|
Manage network resources. |
Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
|
Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account. |
Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
|
Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account. |
Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
|
Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account. |
Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
|
Manage network resources. |
Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
|
Manage network resources. |
Manage Google Cloud Compute Engine (GCE) resources to run workloads. |
|
Create cluster role bindings. |
Manage GKE clusters to run Databricks workloads. |
|
Get cluster role bindings. |
Manage GKE clusters to run Databricks workloads. |
|
Bind cluster role bindings. |
Manage GKE clusters to run Databricks workloads. |
|
Create cluster roles. |
Manage GKE clusters to run Databricks workloads. |
|
Get cluster roles. |
Manage GKE clusters to run Databricks workloads. |
|
Create cluster roles. |
Manage GKE clusters to run Databricks workloads. |
|
Delete cluster roles. |
Manage GKE clusters to run Databricks workloads. |
|
Get clusters. |
Manage GKE clusters to run Databricks workloads. |
|
Get cluster credentials. |
Manage GKE clusters to run Databricks workloads. |
|
List clusters. |
Manage GKE clusters to run Databricks workloads. |
|
Update clusters. |
Manage GKE clusters to run Databricks workloads. |
|
Create configMaps. |
Manage GKE clusters to run Databricks workloads. |
|
Get configMaps. |
Manage GKE clusters to run Databricks workloads. |
|
Update configMaps. |
Manage GKE clusters to run Databricks workloads. |
|
Create custom resource definitions. |
Manage GKE clusters to run Databricks workloads. |
|
Get custom resource definitions. |
Manage GKE clusters to run Databricks workloads. |
|
Update custom resource definitions. |
Manage GKE clusters to run Databricks workloads. |
|
Create daemon sets. |
Manage GKE clusters to run Databricks workloads. |
|
Get daemon sets. |
Manage GKE clusters to run Databricks workloads. |
|
Update daemon sets. |
Manage GKE clusters to run Databricks workloads. |
|
Create deployments. |
Manage GKE clusters to run Databricks workloads. |
|
Get deployments. |
Manage GKE clusters to run Databricks workloads. |
|
Update deployments. |
Manage GKE clusters to run Databricks workloads. |
|
Create job. |
Manage GKE clusters to run Databricks workloads. |
|
Get job. |
Manage GKE clusters to run Databricks workloads. |
|
Update job. |
Manage GKE clusters to run Databricks workloads. |
|
Create namespace. |
Manage GKE clusters to run Databricks workloads. |
|
Get namespace. |
Manage GKE clusters to run Databricks workloads. |
|
List namespaces. |
Manage GKE clusters to run Databricks workloads. |
|
Get operations. |
Manage GKE clusters to run Databricks workloads. |
|
Get pods. |
Manage GKE clusters to run Databricks workloads. |
|
Get pod logs. |
Manage GKE clusters to run Databricks workloads. |
|
List pods. |
Manage GKE clusters to run Databricks workloads. |
|
Create role bindings. |
Manage GKE clusters to run Databricks workloads. |
|
Get role bindings. |
Manage GKE clusters to run Databricks workloads. |
|
Bind roles. |
Manage GKE clusters to run Databricks workloads. |
|
Create roles. |
Manage GKE clusters to run Databricks workloads. |
|
Get roles. |
Manage GKE clusters to run Databricks workloads. |
|
Create secret. |
Manage GKE clusters to run Databricks workloads. |
|
Get a secret. |
Manage GKE clusters to run Databricks workloads. |
|
Update a secret. |
Manage GKE clusters to run Databricks workloads. |
|
Create a service account. |
Manage GKE clusters to run Databricks workloads. |
|
Get a service account. |
Manage GKE clusters to run Databricks workloads. |
|
Create a service. |
Manage GKE clusters to run Databricks workloads. |
|
Get a service. |
Manage GKE clusters to run Databricks workloads. |
|
Create a third-party object. |
Manage GKE clusters to run Databricks workloads. |
|
Delete a third-party object. |
Manage GKE clusters to run Databricks workloads. |
|
Get a third-party object. |
Manage GKE clusters to run Databricks workloads. |
|
List third-party objects. |
Manage GKE clusters to run Databricks workloads. |
|
Update a third-party object. |
Manage GKE clusters to run Databricks workloads. |
|
Inspect service accounts or bind them to a cluster. |
Configure GKE Workload Identity for a cluster’s service account to access your data. |
|
Inspect service accounts or bind them to a cluster. |
Configure GKE Workload Identity for a cluster’s service account to access your data. |
|
Convert customer project ID to a project number. |
Validate the project status, such as whether the project is live and whether the workspace service account has enough permissions. |
|
Check if the project IAM policy is correctly configured. |
Validate the project status, such as whether the project is live and whether the workspace service account has enough permissions. |
|
Create a bucket. |
This is required to create and manage GCS buckets for DBFS. |
|
Delete a bucket. |
This is required to create and manage GCS buckets for DBFS. |
|
Get a bucket. |
This is required to create and manage GCS buckets for DBFS. |
|
Get storage IAM policy. |
This is required to create and manage GCS buckets for DBFS. |
|
List buckets. |
This is required to create and manage GCS buckets for DBFS. |
|
Set storage IAM policy. |
This is required to create and manage GCS buckets for DBFS. |
|
Update storage IAM policy. |
This is required to create and manage GCS buckets for DBFS. |
|
Abort a multipart upload. |
Read and write DBFS objects. |
|
Create a multipart upload. |
Read and write DBFS objects. |
|
List multipart uploads. |
Read and write DBFS objects. |
|
List parts of a multipart upload. |
Read and write DBFS objects. |
|
Create a storage object. |
Read and write DBFS objects. |
|
Delete storage object. |
Read and write DBFS objects. |
|
Get a storage object. |
Read and write DBFS objects. |
|
List storage objects. |
Read and write DBFS objects. |
|
Update a storage object. |
Read and write DBFS objects. |