diff --git a/NEXT_CHANGELOG.md b/NEXT_CHANGELOG.md index a7d2c4af34..2a5993838e 100644 --- a/NEXT_CHANGELOG.md +++ b/NEXT_CHANGELOG.md @@ -17,6 +17,8 @@ ### Documentation +* Fix missing GCP IAM permissions for workspace creation in GCP guides ([#5123](https://github.com/databricks/terraform-provider-databricks/pull/5123)). + ### Exporter ### Internal Changes diff --git a/docs/guides/gcp-private-service-connect-workspace.md b/docs/guides/gcp-private-service-connect-workspace.md index fb5a3776a5..77c9325caa 100644 --- a/docs/guides/gcp-private-service-connect-workspace.md +++ b/docs/guides/gcp-private-service-connect-workspace.md @@ -12,6 +12,8 @@ Secure a workspace with private connectivity and mitigate data exfiltration risk To work with Databricks in GCP in an automated way, please create a service account and manually add it in the [Accounts Console](https://accounts.gcp.databricks.com/users) as an account admin. Databricks account-level APIs can only be called by account owners and account admins, and can only be authenticated using Google-issued OIDC tokens. The simplest way to do this would be via [Google Cloud CLI](https://cloud.google.com/sdk/gcloud). For details, please refer to [Provisioning Databricks workspaces on GCP](gcp-workspace.md). +-> **Note** When using Private Service Connect, ensure that your service account has the `compute.forwardingRules.get` and `compute.forwardingRules.list` permissions in addition to the base permissions listed in the [gcp-workspace.md](gcp-workspace.md) guide. These permissions are required for managing VPC endpoints. + ## Creating a VPC network The very first step is VPC creation with the necessary resources. Please consult [main documentation page](https://docs.gcp.databricks.com/administration-guide/cloud-configurations/gcp/customer-managed-vpc.html) for **the most complete and up-to-date details on networking**. A GCP VPC is registered as [databricks_mws_networks](../resources/mws_networks.md) resource. diff --git a/docs/guides/gcp-workspace.md b/docs/guides/gcp-workspace.md index 88166ef8b3..b4a5b5ca50 100644 --- a/docs/guides/gcp-workspace.md +++ b/docs/guides/gcp-workspace.md @@ -55,28 +55,41 @@ resource "google_project_iam_custom_role" "workspace_creator" { role_id = "${var.prefix}_workspace_creator" title = "Databricks Workspace Creator" permissions = [ - "iam.serviceAccounts.getIamPolicy", - "iam.serviceAccounts.setIamPolicy", - "iam.serviceAccounts.create", - "iam.serviceAccounts.get", + # IAM Role Management "iam.roles.create", "iam.roles.delete", "iam.roles.get", "iam.roles.update", + # Service Account Management + "iam.serviceAccounts.create", + "iam.serviceAccounts.get", + "iam.serviceAccounts.getIamPolicy", + "iam.serviceAccounts.setIamPolicy", + # Project Management "resourcemanager.projects.get", "resourcemanager.projects.getIamPolicy", "resourcemanager.projects.setIamPolicy", + # Service Usage "serviceusage.services.get", "serviceusage.services.list", "serviceusage.services.enable", + # Network Management "compute.networks.get", "compute.networks.updatePolicy", "compute.projects.get", "compute.subnetworks.get", "compute.subnetworks.getIamPolicy", "compute.subnetworks.setIamPolicy", + # Firewall Management "compute.firewalls.get", "compute.firewalls.create", + # Private Service Connect (required if using PSC) + "compute.forwardingRules.get", + "compute.forwardingRules.list", + # Customer-Managed Keys (required if using CMK) + # Uncomment these if you plan to use customer-managed encryption keys: + # "cloudkms.cryptoKeys.getIamPolicy", + # "cloudkms.cryptoKeys.setIamPolicy", ] }