CREATE EXTERNAL LOCATION Permission Error Despite Service Principal Having Account & Metastore Admin Roles #31
Description
Summary
When attempting to create an External Location using the Databricks Terraform provider, the operation fails with a permission error—even if the Service Principal (SP) has both Account Admin and Metastore Admin roles.
Error Message
│ Error: cannot create external location: User does not have CREATE EXTERNAL LOCATION on Metastore 'haley_metastore'.
│
│ with module.prod_environment.databricks_external_location.uc_external_location,
│ on modules/environment/external_location.tf line 21, in resource "databricks_external_location" "uc_external_location":
│ 21: resource "databricks_external_location" "uc_external_location" {
Expected Behavior
The SP with Account Admin and Metastore Admin roles should be able to create an External Location without needing additional manual permission configuration.
Actual Behavior
The operation fails unless explicit permission (CREATE EXTERNAL LOCATION) is granted to the SP in the Metastore via the Databricks UI.
Steps to Reproduce
- Assign Account Admin and Metastore Admin roles to a Service Principal.
- Attempt to create an External Location using Terraform and the
databricks_external_locationresource. - Observe the permission error during apply.
- Manually grant
CREATE EXTERNAL LOCATIONon the metastore to the SP through the Databricks UI. - Re-run
terraform apply– it succeeds.
Workaround
Manually assign CREATE EXTERNAL LOCATION permission to the Service Principal in the Metastore before applying.
Terraform Version
Terraform v1.8.2