search

databricks / terraform-provider-databricks

Databricks Terraform Provider
https://registry.terraform.io/providers/databricks/databricks/latest
Other
456 stars 393 forks source link

[ISSUE] Issue with `databricks_provider` resource when using a Guest user from another tenant: iss claim #4262

Open ralphkootker opened 12 hours ago

ralphkootker commented 12 hours ago

When working with Azure Databricks, it's often the case people are invited as Guest users and as a Guest perform work on somebody else's Azure Account.

In this case, we work with the following provider and auth via the azure-cli. Executing user belong to ORG A but the implementation takes place on Azure account of ORG B. Both make use of EntraID and the User from ORG A is added as a Guest to ORG B

Configuration

provider "databricks" {
  alias      = "accounts" 
  host       = "https://accounts.azuredatabricks.net"
  account_id    = "xxxxx-xxxxx-xxxx"
  auth_type  = "azure-cli" 
}

Error

The error thrown is:

Error: cannot create metastore assignment: io.jsonwebtoken.IncorrectClaimException: Expected iss claim to be: https://sts.windows.net/tenant_id_of_orgB/, but was: https://sts.windows.net/tenant_id_of_orgA/ 17:16:58.279 STDERR terraform: │ with databricks_metastore_assignment.this, 17:16:58.280 STDERR terraform: │ on adb_workspace.tf line 121, in resource "databricks_metastore_assignment" "this":

Workaround

I ended up setting the azure_tenant_id in the provider as the tenant wasn't wasn't taken over when running az login --tenant xxxxx

provider "databricks" {
  alias      = "accounts" 
  host       = "https://accounts.azuredatabricks.net"
  account_id    = "xxxxx-xxxxx-xxxx"
  auth_type  = "azure-cli" 
  azure_tenant_id    = "xxxxx-xxxxx-xxxx"
}