Required permissions for workspace creation

This page explains the permissions required for creating a classic Databricks workspace on Google Cloud.

On Google Cloud, each workspace runs inside a customer-owned workspace project. Databricks uses the workspace creator's credentials to validate settings, grant permissions, enable required services, and provision the workspace. A Databricks account admin must have the required permissions on the workspace project to successfully create a workspace.

Additionally, during workspace creation, Databricks creates a new service account with the minimal permissions needed to manage the workspace. Databricks uses the credentials of the workspace creator to grant permissions to the service account on the workspace project. For a list of permissions granted to the service account, see Required permissions for the workspace service account.

Required account admin permissions

The following is the minimal set of permissions required on the workspace and network projects. Databricks recommends that the workspace creator have the roles/owner role on both the workspace and VPC projects.

note

Workspace creation typically takes less than a minute to complete. Databricks won't retain or use these permissions after the workspace creation.

Google permission	Purpose	Required for workspace project	Required for VPC project	Use case
iam.roles.create	Create the custom role.	✓	✓	Create and manage a custom role for granting permissions to the workspace's service account.
iam.roles.delete	Delete the custom role.	✓		Create and manage a custom role for granting permissions to the workspace's service account.
iam.roles.get	Get the custom role.	✓	✓	Create and manage a custom role for granting permissions to the workspace's service account.
iam.roles.update	Update the custom role.	✓	✓	Create and manage a custom role for granting permissions to the workspace's service account.
iam.serviceAccounts.create	Create the Databricks-compute service account.	✓		Create the Databricks-compute service account used by all clusters in the workspace that do not have a custom service account attached. This service account has minimal permissions, limited to logging and metrics.
iam.serviceAccounts.get	Get the Databricks-compute service account.	✓		Used to check if the required Databricks-compute service account used by all clusters in the workspace exists.
iam.serviceAccounts.getIamPolicy	Get IAM policy.	✓		Grant workspace service account the Service Account User role on Google Compute Engine (GCE) service account for launching clusters.
iam.serviceAccounts.setIamPolicy	Set IAM policy.	✓		Grant workspace service account the Service Account User role on Google Compute Engine (GCE) service account for launching clusters.
resourcemanager.projects.get	Get a project number from its project ID.	✓	✓	Get basic information about the workspace project.
resourcemanager.projects.getIamPolicy	Get IAM policy.	✓	✓	Get basic information about the workspace project.
resourcemanager.projects.setIamPolicy	Set IAM policy.	✓		Get basic information about the workspace project.
serviceusage.services.get	Validate whether the customer project has enabled the required Google Cloud APIs.	✓	✓	Enable Google Cloud services needed for Databricks workloads.
serviceusage.services.list	Validate whether the customer project has enabled the required Google Cloud APIs.	✓	✓	Enable Google Cloud services needed for Databricks workloads.
serviceusage.services.enable	Enable the required Google Cloud APIs on the project if they are not already enabled.	✓		Enable Google Cloud services needed for Databricks workloads.
compute.networks.get	Validate the existence of a VPC network.		✓	Validate network resources for the customer-provided VPC network, which might belong to a project other than the workspace project.
compute.networks.updatePolicy	Update the firewall policy on VPC network.		✓	Updates the firewall policy on the customer-provided VPC network, which might belong to a project other than the workspace project.
compute.projects.get	Get the host project of a VPC network.		✓	Validate network resources for the customer-provided VPC network, which might belong to a project other than the workspace project.
compute.subnetworks.get	Validate subnets of a VPC network.		✓	Validate network resources for the customer-provided VPC network, which might belong to a project other than the workspace project. Required if you use a customer-managed VPC.
compute.subnetworks.getIamPolicy	Get the IAM policy on the VPC subnet.		✓	Validate the grants on the subnetwork for the customer-provided VPC network, which might belong to a project other than the workspace project. Required if you use a customer-managed VPC.
compute.subnetworks.setIamPolicy	Set the IAM policy on the VPC subnet.		✓	Sets the IAM policy on the subnetwork for the customer-provided VPC network, which might belong to a project other than the workspace project. Required if you use a customer-managed VPC.
compute.forwardingRules.get	List forwarding rules for Private Service Connect.		✓	Required if you enable Private Service Connect.
compute.forwardingRules.list	Get forwarding rules for Private Service Connect.		✓	Required if you enable Private Service Connect.
compute.firewalls.get	Get a firewall rule.		✓	Gets the required firewall rule in the customer-provided VPC network to check if it exists.
compute.firewalls.create	Create a firewall rule.		✓	Creates a firewall rule in the customer-provided VPC network, which might belong to a project other than the workspace project.
cloudkms.cryptoKeys.getIamPolicy	Get the access control policy for a Cloud KMS resource.	✓		Required on the Cloud KMS key if you enable customer-managed keys.
cloudkms.cryptoKeys.setIamPolicy	Set the access control policy on a Cloud KMS resource.	✓		Required on the Cloud KMS key if you enable customer-managed keys.