Skip to main content
Last updated on

Required permissions for the workspace service account

The workspace service account requires permissions in the following IAM roles on the workspace project to operate and manage a workspace. These roles are automatically created by Databricks when you deploy your workspace.

  • Databricks Project Role v2: This role is required to operate and manage project-level resources such as instances, disks, cloud operations, and service accounts managed by Databricks. It is granted at the project level to the workspace service account.

  • Databricks Resource Role v2: This role is required to operate and manage Google Compute Engine (GCE) instances, storage disks, and other workspace-level resources managed by Databricks. This role is granted at the project level to the workspace service account. The workspace-level scoping is enforced using an IAM condition on the workspace ID. The following example uses 1234567890 in place of an actual workspace ID:

    Bash
    resource.name.extract("{x}databricks”) != "" &&
    resource.name.extract("{x}1234567890”) != ""

  • Databricks Network Role v2: This role is required to use subnetwork resources under a customer-managed VPC network. The role must exist in the VPC project in the primary subnet of the customer-managed VPC.

If customer-managed keys are enabled for your workspace, Cloud KMS CryptoKey Decrypter and Cloud KMS CryptoKey Encrypter roles are required on the Cloud KMS Key resource.

Permissions for Databricks Project Role v2

Permission

Purpose

Use case

compute.disks.list

List disks

Manage Google Compute Engine (GCE) resources to run workloads

compute.globalOperations.list

List cloud operations

Manage Google Compute Engine (GCE) resources to run workloads

compute.regionOperations.list

List regional cloud operations

Manage Google Compute Engine (GCE) resources to run workloads

compute.zoneOperations.list

List zonal cloud operations

Manage Google Compute Engine (GCE) resources to run workloads

compute.instances.list

List GCE instances

Manage Google Compute Engine (GCE) resources to run workloads

compute.zones.list

List available zones

Manage Google Compute Engine (GCE) resources to run workloads

compute.zones.get

Get zone description

Manage Google Compute Engine (GCE) resources to run workloads

compute.regions.get

Get region description

Manage Google Compute Engine (GCE) resources to run workloads

serviceusage.services.list

List enabled services

Needed for Databricks to check that required services are enabled

serviceusage.quotas.get

Get quota details

Manage Google Compute Engine (GCE) resources to run workloads

storage.buckets.list

List Databricks-managed GCS buckets

Manage Google Compute Engine (GCE) resources to run workloads

compute.instances.recommendLocations

Get on-demand capacity recommendations

Get zone/machine type recommendations for on-demand instances based on available capacity in the region

compute.spotAssistants.get

Get spot capacity recommendations

Get zone/machine type recommendations for spot instances based on available capacity in the region

compute.reservations.get

Get details of a GCE reservation

Get details of a GCE reservation for use in zone/machine type selection

compute.reservations.list

List all GCE reservations

List details of all GCE reservations for use in zone/machine type selection

Following permissions are retained for compatibility with legacy permissions. They can be removed or modified as applicable

Permission

Purpose

Use case

iam.serviceAccounts.actAs

Impersonate service account

Required for clusters to use Google Service Account. Can be removed if GSA is not used or can be granted only on specific service accounts used by your Databricks clusters.

iam.serviceAccounts.getAccessToken

Impersonate service account

Required for clusters to use Google Service Account. Can be removed if GSA is not used or can be granted only on specific service accounts used by your Databricks clusters.

iam.serviceAccounts.getOpenIdToken

Impersonate service account

Required for clusters to use Google Service Account. Can be removed if GSA is not used or can be granted only on specific service accounts used by your Databricks clusters.

Permissions for Databricks Resource Role v2

Permission

Purpose

Use case

compute.disks.create

Create Databricks-managed disks

Manage Google Compute Engine (GCE) resources to run workloads

compute.disks.delete

Delete Databricks-managed disks

Manage Google Compute Engine (GCE) resources to run workloads

compute.disks.get

Get Databricks-managed disk info

Manage Google Compute Engine (GCE) resources to run workloads

compute.disks.resize

Resize Databricks-managed disks

Manage Google Compute Engine (GCE) resources to run workloads

compute.disks.setLabels

Set Labels on Databricks-managed disks

Manage Google Compute Engine (GCE) resources to run workloads

compute.disks.update

Update Databricks-managed disks

Manage Google Compute Engine (GCE) resources to run workloads

compute.disks.use

Attach Databricks-managed disks to a VM

Manage Google Compute Engine (GCE) resources to run workloads

compute.disks.useReadOnly

Attach Databricks-managed disks to a VM in read-only mode

Manage Google Compute Engine (GCE) resources to run workloads

compute.instances.create

Create Databricks-managed instances

Manage Google Compute Engine (GCE) resources to run workloads

compute.instances.delete

Delete Databricks-managed instances

Manage Google Compute Engine (GCE) resources to run workloads

compute.instances.attachDisk

Attach a disk to a Databricks-managed instance

Manage Google Compute Engine (GCE) resources to run workloads

compute.instances.detachDisk

Detach a disk from a Databricks-managed instance

Manage Google Compute Engine (GCE) resources to run workloads

compute.instances.get

Get instance details

Manage Google Compute Engine (GCE) resources to run workloads

compute.instances.getGuestAttributes

Get instance guest attributes

Manage Google Compute Engine (GCE) resources to run workloads

compute.instances.getSerialPortOutput

Get instance serial port logs

Debug failed Google Compute Engine (GCE) resources

compute.instances.setLabels

Set labels on an instance

Manage Google Compute Engine (GCE) resources to run workloads

compute.instances.setTags

Set tags on an instance

Manage Google Compute Engine (GCE) resources to run workloads

compute.instances.update

Update an instance

Manage Google Compute Engine (GCE) resources to run workloads

compute.instances.setMetadata

Set metadata on an instance

Manage Google Compute Engine (GCE) resources to run workloads

compute.instances.setServiceAccount

Set service account on an instance

Manage Google Compute Engine (GCE) resources to run workloads

storage.multipartUploads.abort

Cancel a multipart upload to Databricks-managed GCS bucket

Manage Google Cloud Storage (GCS) upload sessions when uploading large files

storage.multipartUploads.create

Create a multipart upload to Databricks-managed GCS bucket

Manage Google Cloud Storage (GCS) upload sessions when uploading large files

storage.multipartUploads.list

List multipart uploads to Databricks-managed GCS bucket

Manage Google Cloud Storage (GCS) upload sessions when uploading large files

storage.multipartUploads.listParts

List parts uploaded for a specific multipart upload to a Databricks-managed GCS bucket

Manage Google Cloud Storage (GCS) upload sessions when uploading large files

storage.buckets.create

Create a Databricks-managed GCS bucket

Manage Google Compute Engine (GCE) resources to run workloads

storage.buckets.delete

Delete a Databricks-managed GCS bucket

Manage Google Compute Engine (GCE) resources to run workloads

storage.buckets.get

Get details of a Databricks-managed GCS bucket

Manage Google Compute Engine (GCE) resources to run workloads

storage.buckets.getIamPolicy

Get IAM policy of a Databricks-managed GCS bucket

Manage Google Compute Engine (GCE) resources to run workloads

storage.buckets.setIamPolicy

Set IAM policy of a Databricks-managed GCS bucket

Manage Google Compute Engine (GCE) resources to run workloads

storage.buckets.update

Update a Databricks-managed GCS bucket

Manage Google Compute Engine (GCE) resources to run workloads

storage.objects.create

Create a Databricks-managed GCS bucket

Manage Google Compute Engine (GCE) resources to run workloads

storage.objects.delete

Delete a Databricks-managed GCS bucket

Manage Google Compute Engine (GCE) resources to run workloads

storage.objects.get

Get details for a Databricks-managed GCS bucket

Manage Google Compute Engine (GCE) resources to run workloads

storage.objects.list

List objects in a Databricks-managed GCS bucket

Manage Google Compute Engine (GCE) resources to run workloads

storage.objects.update

Update objects in a Databricks-managed GCS bucket

Manage Google Compute Engine (GCE) resources to run workloads

Additional permissions for workspaces on Databricks-managed VPC network

The following permissions are also required for workspaces that use Databricks-managed VPC network:

Permission

Purpose

Use case

compute.networks.access

Launch VMs in the Databricks-managed VPC

Manage Google Compute Engine (GCE) resources to run workloads

compute.networks.get

Get details of the Databricks-managed VPC

Manage Google Compute Engine (GCE) resources to run workloads

compute.networks.use

Launch VMs in the Databricks-managed VPC

Manage Google Compute Engine (GCE) resources to run workloads

compute.networks.useExternalIp

Launch VMs in the Databricks-managed VPC

Manage Google Compute Engine (GCE) resources to run workloads

compute.routers.get

Get details of the Databricks-managed router

Manage Google Compute Engine (GCE) resources to run workloads

compute.subnetworks.get

Get details of the Databricks-managed subnet

Manage Google Compute Engine (GCE) resources to run workloads

compute.subnetworks.use

Launch VMs in the Databricks-managed VPC

Manage Google Compute Engine (GCE) resources to run workloads

compute.routers.use

Launch VMs in the Databricks-managed VPC

Manage Google Compute Engine (GCE) resources to run workloads

compute.subnetworks.getIamPolicy

Get IAM policy for Databricks-managed subnet

Manage Google Compute Engine (GCE) resources to run workloads

compute.subnetworks.useExternalIp

Launch VMs in the Databricks-managed VPC

Manage Google Compute Engine (GCE) resources to run workloads

compute.networks.create

Create the Databricks-managed VPC

Manage Google Compute Engine (GCE) resources to run workloads

compute.networks.delete

Delete the Databricks-managed VPC

Manage Google Compute Engine (GCE) resources to run workloads

compute.networks.update

Update the Databricks-managed VPC

Manage Google Compute Engine (GCE) resources to run workloads

compute.networks.updatePolicy

Update the Databricks-managed VPC

Manage Google Compute Engine (GCE) resources to run workloads

compute.subnetworks.create

Create the Databricks-managed subnet

Manage Google Compute Engine (GCE) resources to run workloads

compute.subnetworks.delete

Delete the Databricks-managed subnet

Manage Google Compute Engine (GCE) resources to run workloads

compute.subnetworks.expandIpCidrRange

Expand CIDR range on the Databricks-managed subnet

Manage Google Compute Engine (GCE) resources to run workloads

compute.subnetworks.setIamPolicy

Set IAM policy on the Databricks-managed subnet

Manage Google Compute Engine (GCE) resources to run workloads

compute.subnetworks.setPrivateIpGoogleAccess

Configure Private Google API Access on the Databricks-managed subnet

Manage Google Compute Engine (GCE) resources to run workloads

compute.subnetworks.update

Update the Databricks-managed subnet

Manage Google Compute Engine (GCE) resources to run workloads

compute.routers.create

Create the Databricks-managed router

Manage Google Compute Engine (GCE) resources to run workloads

compute.routers.delete

Delete the Databricks-managed router

Manage Google Compute Engine (GCE) resources to run workloads

compute.routers.update

Update the Databricks-managed router

Manage Google Compute Engine (GCE) resources to run workloads

compute.firewalls.create

Create the ingress firewall rule to allow Databricks VMs to communicate

Manage Google Compute Engine (GCE) resources to run workloads

compute.firewalls.delete

Delete the ingress firewall rule on workspace teardown in order to clean up the VPC

Manage Google Compute Engine (GCE) resources to run workloads

compute.firewalls.get

Get the ingress firewall rule details

Manage Google Compute Engine (GCE) resources to run workloads

compute.firewalls.update

Update ingress firewall rule details

Manage Google Compute Engine (GCE) resources to run workloads

Permissions for Databricks Network Role v2

Permission

Purpose

Use case

compute.subnetworks.use

Use the subnet in the customer managed network

Manage Google Compute Engine (GCE) resources to run workloads

compute.subnetworks.get

Get the info of the subnet in the customer-managed network

Manage Google Compute Engine (GCE) resources to run workloads

Legacy permissions

In the legacy GKE deployment model, the workspace service account required permissions in the following IAM roles on the workspace project to operate and manage a workspace:

  • GKE Admin Role: Required to operate and manage customer workloads running on GKE.
  • GCE Storage Admin Role: Required to operate and manage Google Compute Engine (GCE) persistent storages associated with GKE nodes.
  • Databricks Workspace Role: Required to grant additional permissions needed to manage a workspace.