Required permissions

This page explains the permissions required for creating and managing a Databricks workspace on Google Cloud.

On Google Cloud, each workspace runs inside a customer-owned workspace project. Databricks creates and owns a per-workspace service account with the minimal permissions needed to manage the workspace. Databricks uses the credentials of the workspace creator to grant permissions to the service account on the workspace project. A Databricks account admin must have the required permissions on the workspace project to successfully create a workspace.

Required permissions for the workspace creator

Databricks uses the credentials of the workspace creator to validate settings, grant permissions, enable required services, and provision the workspace. During this process, Databricks requires the following permissions on the workspace project and the network project.

Note

Workspace creation typically takes less than a minute to complete. Databricks won’t retain or use these permissions after the workspace creation.

Google permission

Purpose

Use case

iam.roles.create

Create the custom role.

Create and manage a custom role for granting permissions to the workspace’s service account.

iam.roles.delete

Delete the custom role.

Create and manage a custom role for granting permissions to the workspace’s service account.

iam.roles.get

Get the custom role.

Create and manage a custom role for granting permissions to the workspace’s service account.

iam.roles.update

Update the custom role.

Create and manage a custom role for granting permissions to the workspace’s service account.

iam.serviceAccounts.getIamPolicy

Get IAM policy.

Grant workspace service account the Service Account User role on Google Cloud Compute Engine (GCE) service account for launching GKE clusters.

iam.serviceAccounts.setIamPolicy

Set IAM policy.

Grant workspace service account the Service Account User role on Google Cloud Compute Engine (GCE) service account for launching GKE clusters.

resourcemanager.projects.get

Get a project number from its project ID.

Get basic information about the workspace project.

resourcemanager.projects.getIamPolicy

Get IAM policy.

Get basic information about the workspace project.

resourcemanager.projects.setIamPolicy

Set IAM policy.

Get basic information about the workspace project.

serviceusage.services.get

Validate whether the customer project has enabled the required Google Cloud APIs.

Enable Google Cloud services needed for Databricks workloads.

serviceusage.services.list

Validate whether the customer project has enabled the required Google Cloud APIs.

Enable Google Cloud services needed for Databricks workloads.

serviceusage.services.enable

Enable the required Google Cloud APIs on the project if they are not already enabled.

Enable Google Cloud services needed for Databricks workloads.

compute.networks.get

Validate the existence of a VPC network.

Validate network resources for the customer-provided VPC network, which might belong to a project other than the workspace project.

compute.projects.get

Get the host project of a VPC network.

Validate network resources for the customer-provided VPC network, which might belong to a project other than the workspace project.

compute.subnetworks.get

Validate subnets of a VPC network.

Validate network resources for the customer-provided VPC network, which might belong to a project other than the workspace project.

compute.forwardingRules.get

List forwarding rules for Private Service Connect.

Required if you enable Private Service Connect.

compute.forwardingRules.list

Get forwarding rules for Private Service Connect.

Required if you enable Private Service Connect.

cloudkms.cryptoKeys.getIamPolicy

Get the access control policy for a Cloud KMS resource.

Required on the Cloud KMS key if you enable customer-managed keys.

cloudkms.cryptoKeys.setIamPolicy

Set the access control policy on a Cloud KMS resource.

Required on the Cloud KMS key if you enable customer-managed keys.

Required permissions for the workspace service account

The workspace service account requires permissions in the following IAM roles on the workspace project in order to operate and manage a workspace:

  • GKE Admin Role: This is required to operate and manage customer workloads running on GKE.

  • GCE Storage Admin Role: This is required to operate and manage Google Compute Engine (GCE) persistent storages associated with GKE nodes.

  • Databricks Workspace Role: A per-workspace custom role for granting additional permissions needed to manage a workspace.

Permission

Purpose

Use case

compute.globalOperations.get

Get operation data for visibility into GCE operations during GCE outages.

Manage Google Cloud Compute Engine (GCE) resources to run workloads.

compute.instanceGroups.get

Get instance groups for GCE troubleshooting. Manage Google Cloud Compute Engine (GCE) resources to run workloads.

Manage Google Cloud Compute Engine (GCE) resources to run workloads.

compute.instanceGroups.list

List instance groups for GCE troubleshooting. Manage Google Cloud Compute Engine (GCE) resources to run workloads.

Manage Google Cloud Compute Engine (GCE) resources to run workloads.

compute.instances.get

Get compute instances. Manage Google Cloud Compute Engine (GCE) resources to run workloads.

Manage Google Cloud Compute Engine (GCE) resources to run workloads.

compute.instances.list

List compute instances for GCE troubleshooting. Manage Google Cloud Compute Engine (GCE) resources to run workloads.

Manage Google Cloud Compute Engine (GCE) resources to run workloads.

compute.instances.setLabels

Set compute instance labels. Manage Google Cloud Compute Engine (GCE) resources to run workloads.

Manage Google Cloud Compute Engine (GCE) resources to run workloads.

compute.disks.get

Get disks. Manage Google Cloud Compute Engine (GCE) resources to run workloads.

Manage Google Cloud Compute Engine (GCE) resources to run workloads.

compute.disks.setLabels

Set disk labels. Manage Google Cloud Compute Engine (GCE) resources to run workloads.

Manage Google Cloud Compute Engine (GCE) resources to run workloads.

compute.networks.access

Manage network resources.

Manage Google Cloud Compute Engine (GCE) resources to run workloads.

compute.networks.create

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.

Manage Google Cloud Compute Engine (GCE) resources to run workloads.

compute.networks.delete

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.

Manage Google Cloud Compute Engine (GCE) resources to run workloads.

compute.networks.get

Manage network resources.

Manage Google Cloud Compute Engine (GCE) resources to run workloads.

compute.networks.getEffectiveFirewalls

Manage network resources.

Manage Google Cloud Compute Engine (GCE) resources to run workloads.

compute.networks.update

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.

Manage Google Cloud Compute Engine (GCE) resources to run workloads.

compute.networks.updatePolicy

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.

Manage Google Cloud Compute Engine (GCE) resources to run workloads.

compute.networks.use

Manage network resources.

Manage Google Cloud Compute Engine (GCE) resources to run workloads.

compute.networks.useExternalIp

Manage network resources.

Manage Google Cloud Compute Engine (GCE) resources to run workloads.

compute.regionOperations.get

Get region operations for visibility into Google Compute Engine (GCE) operations during GCE outages.

Manage Google Cloud Compute Engine (GCE) resources to run workloads.

compute.routers.create

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.

Manage Google Cloud Compute Engine (GCE) resources to run workloads.

compute.routers.delete

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.

Manage Google Cloud Compute Engine (GCE) resources to run workloads.

compute.routers.get

Manage network resources.

Manage Google Cloud Compute Engine (GCE) resources to run workloads.

compute.routers.update

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.

Manage Google Cloud Compute Engine (GCE) resources to run workloads.

compute.routers.use

Manage network resources.

Manage Google Cloud Compute Engine (GCE) resources to run workloads.

compute.subnetworks.create

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.

Manage Google Cloud Compute Engine (GCE) resources to run workloads.

compute.subnetworks.delete

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.

Manage Google Cloud Compute Engine (GCE) resources to run workloads.

compute.subnetworks.expandIpCidrRange

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.

Manage Google Cloud Compute Engine (GCE) resources to run workloads.

compute.subnetworks.get

Manage network resources.

Manage Google Cloud Compute Engine (GCE) resources to run workloads.

compute.subnetworks.getIamPolicy

Manage network resources.

Manage Google Cloud Compute Engine (GCE) resources to run workloads.

compute.subnetworks.setIamPolicy

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.

Manage Google Cloud Compute Engine (GCE) resources to run workloads.

compute.subnetworks.setPrivateIpGoogleAccess

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.

Manage Google Cloud Compute Engine (GCE) resources to run workloads.

compute.subnetworks.update

Manage network resources. If you use a customer-managed VPC, this permission is not in the custom role that Databricks grants to the service account.

Manage Google Cloud Compute Engine (GCE) resources to run workloads.

compute.subnetworks.use

Manage network resources.

Manage Google Cloud Compute Engine (GCE) resources to run workloads.

compute.subnetworks.useExternalIp

Manage network resources.

Manage Google Cloud Compute Engine (GCE) resources to run workloads.

container.clusterRoleBindings.create

Create cluster role bindings.

Manage GKE clusters to run Databricks workloads.

container.clusterRoleBindings.get

Get cluster role bindings.

Manage GKE clusters to run Databricks workloads.

container.clusterRoles.bind

Bind cluster role bindings.

Manage GKE clusters to run Databricks workloads.

container.clusterRoles.create

Create cluster roles.

Manage GKE clusters to run Databricks workloads.

container.clusterRoles.get

Get cluster roles.

Manage GKE clusters to run Databricks workloads.

container.clusters.create

Create cluster roles.

Manage GKE clusters to run Databricks workloads.

container.clusters.delete

Delete cluster roles.

Manage GKE clusters to run Databricks workloads.

container.clusters.get

Get clusters.

Manage GKE clusters to run Databricks workloads.

container.clusters.getCredentials

Get cluster credentials.

Manage GKE clusters to run Databricks workloads.

container.clusters.list

List clusters.

Manage GKE clusters to run Databricks workloads.

container.clusters.update

Update clusters.

Manage GKE clusters to run Databricks workloads.

container.configMaps.create

Create configMaps.

Manage GKE clusters to run Databricks workloads.

container.configMaps.get

Get configMaps.

Manage GKE clusters to run Databricks workloads.

container.configMaps.update

Update configMaps.

Manage GKE clusters to run Databricks workloads.

container.customResourceDefinitions.create

Create custom resource definitions.

Manage GKE clusters to run Databricks workloads.

container.customResourceDefinitions.get

Get custom resource definitions.

Manage GKE clusters to run Databricks workloads.

container.customResourceDefinitions.update

Update custom resource definitions.

Manage GKE clusters to run Databricks workloads.

container.daemonSets.create

Create daemon sets.

Manage GKE clusters to run Databricks workloads.

container.daemonSets.get

Get daemon sets.

Manage GKE clusters to run Databricks workloads.

container.daemonSets.update

Update daemon sets.

Manage GKE clusters to run Databricks workloads.

container.deployments.create

Create deployments.

Manage GKE clusters to run Databricks workloads.

container.deployments.get

Get deployments.

Manage GKE clusters to run Databricks workloads.

container.deployments.update

Update deployments.

Manage GKE clusters to run Databricks workloads.

container.jobs.create

Create job.

Manage GKE clusters to run Databricks workloads.

container.jobs.get

Get job.

Manage GKE clusters to run Databricks workloads.

container.jobs.update

Update job.

Manage GKE clusters to run Databricks workloads.

container.namespaces.create

Create namespace.

Manage GKE clusters to run Databricks workloads.

container.namespaces.get

Get namespace.

Manage GKE clusters to run Databricks workloads.

container.namespaces.list

List namespaces.

Manage GKE clusters to run Databricks workloads.

container.operations.get

Get operations.

Manage GKE clusters to run Databricks workloads.

container.pods.get

Get pods.

Manage GKE clusters to run Databricks workloads.

container.pods.getLogs

Get pod logs.

Manage GKE clusters to run Databricks workloads.

container.pods.list

List pods.

Manage GKE clusters to run Databricks workloads.

container.roleBindings.create

Create role bindings.

Manage GKE clusters to run Databricks workloads.

container.roleBindings.get

Get role bindings.

Manage GKE clusters to run Databricks workloads.

container.roles.bind

Bind roles.

Manage GKE clusters to run Databricks workloads.

container.roles.create

Create roles.

Manage GKE clusters to run Databricks workloads.

container.roles.get

Get roles.

Manage GKE clusters to run Databricks workloads.

container.secrets.create

Create secret.

Manage GKE clusters to run Databricks workloads.

container.secrets.get

Get a secret.

Manage GKE clusters to run Databricks workloads.

container.secrets.update

Update a secret.

Manage GKE clusters to run Databricks workloads.

container.serviceAccounts.create

Create a service account.

Manage GKE clusters to run Databricks workloads.

container.serviceAccounts.get

Get a service account.

Manage GKE clusters to run Databricks workloads.

container.services.create

Create a service.

Manage GKE clusters to run Databricks workloads.

container.services.get

Get a service.

Manage GKE clusters to run Databricks workloads.

container.thirdPartyObjects.create

Create a third-party object.

Manage GKE clusters to run Databricks workloads.

container.thirdPartyObjects.delete

Delete a third-party object.

Manage GKE clusters to run Databricks workloads.

container.thirdPartyObjects.get

Get a third-party object.

Manage GKE clusters to run Databricks workloads.

container.thirdPartyObjects.list

List third-party objects.

Manage GKE clusters to run Databricks workloads.

container.thirdPartyObjects.update

Update a third-party object.

Manage GKE clusters to run Databricks workloads.

iam.serviceAccounts.getIamPolicy

Inspect service accounts or bind them to a cluster.

Configure GKE Workload Identity for a cluster’s service account to access your data.

iam.serviceAccounts.setIamPolicy

Inspect service accounts or bind them to a cluster.

Configure GKE Workload Identity for a cluster’s service account to access your data.

resourcemanager.projects.get

Convert customer project ID to a project number.

Validate the project status, such as whether the project is live and whether the workspace service account has enough permissions.

resourcemanager.projects.getIamPolicy

Check if the project IAM policy is correctly configured.

Validate the project status, such as whether the project is live and whether the workspace service account has enough permissions.

storage.buckets.create

Create a bucket.

This is required to create and manage GCS buckets for DBFS.

storage.buckets.delete

Delete a bucket.

This is required to create and manage GCS buckets for DBFS.

storage.buckets.get

Get a bucket.

This is required to create and manage GCS buckets for DBFS.

storage.buckets.getIamPolicy

Get storage IAM policy.

This is required to create and manage GCS buckets for DBFS.

storage.buckets.list

List buckets.

This is required to create and manage GCS buckets for DBFS.

storage.buckets.setIamPolicy

Set storage IAM policy.

This is required to create and manage GCS buckets for DBFS.

storage.buckets.update

Update storage IAM policy.

This is required to create and manage GCS buckets for DBFS.

storage.multipartUploads.abort

Abort a multipart upload.

Read and write DBFS objects.

storage.multipartUploads.create

Create a multipart upload.

Read and write DBFS objects.

storage.multipartUploads.list

List multipart uploads.

Read and write DBFS objects.

storage.multipartUploads.listParts

List parts of a multipart upload.

Read and write DBFS objects.

storage.objects.create

Create a storage object.

Read and write DBFS objects.

storage.objects.delete

Delete storage object.

Read and write DBFS objects.

storage.objects.get

Get a storage object.

Read and write DBFS objects.

storage.objects.list

List storage objects.

Read and write DBFS objects.

storage.objects.update

Update a storage object.

Read and write DBFS objects.