Configuration
# ~/.databrickscfg:
# [my_workspace]
# host = https://dbc-XXXXX.cloud.databricks.com
# auth_type = databricks-cli
provider "databricks" {
profile = "my_workspace"
}
resource "databricks_access_control_rule_set" "example" {
name = "accounts/${account_id}/tagPolicies/${tag_policy_id}/ruleSets/default"
grant_rules {
principals = [data.databricks_group.admins.acl_principal_id]
role = "roles/tagPolicy.manager"
}
}Expected Behavior
Per the documentation, databricks_access_control_rule_set should work with a workspace-level provider without requiring any account-level configuration.
Actual Behavior
The resource fails with:
cannot read access control rule set: invalid Databricks Account configuration - host incorrect or account_id missing
The provider unexpectedly requires account-level configuration (account_id and accounts host) for a resource that the docs say works at the workspace level. This is distinct from #4629, which is about workspace admins lacking permission to call the account-level API — here the provider is requiring account-level configuration entirely.
Steps to Reproduce
- Configure a workspace-level profile in ~/.databrickscfg (no account_id, host is a workspace URL)
The current databrickscfg looks like:
; The profile defined in the DEFAULT section is to be used as a fallback when no profile is explicitly specified.
[DEFAULT]
[account]
host = https://accounts.cloud.databricks.com
account_id = [REMOVED]
auth_type = databricks-cli
[__settings__]
default_profile = account
[prd_ws]
host = https://<my_prd_url>.cloud.databricks.com
account_id = [REMOVED]
auth_type = databricks-cli
workspace_id = [REMOVED]
- Reference that profile in the databricks provider block
- Define a databricks_access_control_rule_set resource
- terraform plan
Terraform and provider versions
- Terraform: v1.6.5
- Provider: v1.105.0
- Platform: macOS
- Databricks CLI v0.296.0
Is it a regression?
Unknown
Debug Output
We're a Databricks customer. Please reach out for logs.
Important Factoids
Workaround: Adding an explicit account-level provider alias resolves the issue:
Workaround: Adding an explicit account-level provider alias resolves the issue:
provider "databricks" {
alias = "account"
profile = "account" # profile with host = https://accounts.cloud.databricks.com and account_id
}
resource "databricks_access_control_rule_set" "example" {
provider = databricks.account
# ...
}```
### Would you like to implement a fix?
<!-- If you plan to implement a fix for this, let the maintainers and community know -->
Configuration
Expected Behavior
Per the documentation, databricks_access_control_rule_set should work with a workspace-level provider without requiring any account-level configuration.
Actual Behavior
The resource fails with:
cannot read access control rule set: invalid Databricks Account configuration - host incorrect or account_id missing
The provider unexpectedly requires account-level configuration (account_id and accounts host) for a resource that the docs say works at the workspace level. This is distinct from #4629, which is about workspace admins lacking permission to call the account-level API — here the provider is requiring account-level configuration entirely.
Steps to Reproduce
The current databrickscfg looks like:
Terraform and provider versions
Is it a regression?
Unknown
Debug Output
We're a Databricks customer. Please reach out for logs.
Important Factoids
Workaround: Adding an explicit account-level provider alias resolves the issue:
Workaround: Adding an explicit account-level provider alias resolves the issue: