DEVHIDE
Login Or Sign up

Error while assigning admin role to SCIM provisioned AAD groups in Databricks

1.2k Views Asked by At

We use Azure databricks and managing via terraform. We have configured SCIM connector provisioner(AAD Enterprise app) to sync users and groups from AAD to Databricks. This works good. I can able to assign job or cluster permissions to these SCIM synced groups but when I try to assign admin role(entire workspace admin) to SCIM synced group the terraform error shows "API is not available for this worspace". Sorry, I don't what it means, Is it related to terraform provider or Am I putting something wrong? Please suggest me what should I use or correct. Please find below code 'principal_id' argument accepts user id or group id or service principal id as per terraform documentation here https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/permission_assignment#principal_id

Provider configuration:

terraform {
  required_version = ">= 1.1.4"
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = ">= 3.8.0"
    }
      databricks = {
      source  = "databricks/databricks"
      version = ">= 1.6.3"
    }
  }
}


provider "databricks" { #Assign databricks workspace id to provider
  azure_workspace_resource_id = 
     data.azurerm_databricks_workspace.adb_ws.id
}

Resource Block:

resource "databricks_permission_assignment" "assign_scim_admingroup" {
  principal_id = data.databricks_group.dbricks_admin_group.id
  permissions  = ["ADMIN"]
}

Error in terraform:

│ Error: cannot create permission assignment: Permission assignment APIs are not available for this workspace.
│ 
│   with databricks_permission_assignment.assign_scim_admingroup,
│   on Dbricks-permission.tf line 104, in resource "databricks_permission_assignment" "assign_scim_admingroup":
│   43: resource "databricks_permission_assignment" "assign_scim_admingroup" {

My expectation is Databricks group synced with AAD via SCIM connecter provisioner groups should be assigned as "ADMIN" role using terraform.

databricks azure-databricks terraform-provider-azure terraform-provider-databricks databricks-unity-catalog
Original Q&A
2

There are 2 best solutions below

1
On

I tried to reproduce the same in my environment:

Code:

resource "azuread_group" "example" {
  display_name     = "kavyaMyGroup"
  owners           = [data.azuread_client_config.current.object_id]
  security_enabled = true

  members = [
    azuread_user.example.object_id,
    # more users 
   ]
}
resource "databricks_user" "me" {
 // user_name    = "[email protected]"
 user_name = azuread_user.example.user_principal_name
  display_name = "Test User"
}




resource "databricks_group" "this" {
//  display_name               = "vsakaSomeGroup"
display_name = azuread_group.example.display_name
  allow_cluster_create       = true
  allow_instance_pool_create = true
  workspace_access      = true
  databricks_sql_access = true
}

resource "databricks_group_member" "vip_member" {
  group_id = databricks_group.this.id
  member_id = databricks_user.me.id
}

I received the same error:

│ Error: cannot create permission assignment: Permission assignment APIs are not available for this workspace.
│
│   with databricks_permission_assignment.assign_scim_admingroup,
│   on main.tf line 145, in resource "databricks_permission_assignment" "assign_scim_admingroup":

enter image description here

Please note :

The admins group is a reserved group in Azure Databricks and cannot be removed. Note that Workspace-local groups cannot be granted access to data in a Unity Catalog metastore or assigned to other workspaces .

To add groups to a workspace using the account console, the workspace must be enabled for identity federation. Only account-level groups are assignable.

Manage groups - Azure Databricks | Microsoft Learn

  • If I checked my environment, the group created is local and not account level , so I did not have permissions to assign admin role to it.

enter image description here

The account admins can assign them using ,the principal ID which can be retrieved using the SCIM API.

resource "databricks_permission_assignment" "assign_scim_admingroup" {
 /principal_id = databricks_group.this.id
  permissions  = ["ADMIN"]
}

Make sure to enable identity federation , to assign group roles and have premium plan in order to manage the assignment of users to workspaces

enter image description here

You can also check Automate SCIM provisioning using Microsoft Graph from

Reference: Configure SCIM provisioning using Microsoft Azure Active Directory - Azure Databricks | Microsoft Learn

3
On

The solution for us was that we were creating the metastore and the user permission assignments in the same Terraform apply. It turns out that the metastore needs about 10 minutes of buffer time, so if you run the same Terraform apply after 10 minutes it should work. Hope this helps

Related Questions in DATABRICKS

Related Questions in AZURE-DATABRICKS

Related Questions in TERRAFORM-PROVIDER-AZURE

Related Questions in TERRAFORM-PROVIDER-DATABRICKS

Related Questions in DATABRICKS-UNITY-CATALOG

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.