terraform destroy Fails: Missing MANAGE/USE Permissions Despite Account Admin and Metastore Admin Roles

[haleyyyblue]

Summary

When running terraform destroy with a Service Principal (SP) that has both Account Admin and Metastore Admin roles, the deletion of several Unity Catalog resources (Catalogs, External Locations, Storage Credentials) fails due to missing MANAGE or USE permissions. These permissions had to be manually granted in order for destroy to succeed.

Error Messages

Example errors during terraform destroy:

Error: cannot delete catalog: User does not have MANAGE and USE CATALOG on Catalog 'uc-quickstart-c6pv7v-dev'.

Error: cannot delete external location: User does not have MANAGE on External Location 'uc-quickstart-c6pv7v-prod'.

Error: cannot delete storage credential: User does not have MANAGE on Storage Credential 'uc-quickstart-c6pv7v-sandbox-ext-loc'.

Expected Behavior

A Service Principal with both Account Admin and Metastore Admin roles should be able to delete all associated Unity Catalog resources via Terraform without additional manual permission grants.

Actual Behavior

Despite having high-level roles, the SP is blocked from deleting:

• Catalogs (needs MANAGE and USE CATALOG)
• External Locations (needs MANAGE)
• Storage Credentials (needs MANAGE)

Manual intervention was required to grant these permissions using UI