Error when creating a user, group, or service principal at the account level with Terraform

You must include your account_id in the Terraform Databricks provider block to manage users, groups, and service principals.

Written by John.Lourdu

Last published at: October 28th, 2022


Unity Catalog uses Databricks account identities to resolve users, service principals, and groups, and to enforce permissions. These identities can be managed using Terraform.

You are trying to create users, service principals, or groups at the account level when your Terraform code fails with a set `host` property error message.

2022-10-06T15:20:46.816+0300 [INFO]  Starting apply for databricks_group.bfr_databricks_groups
2022-10-06T15:20:46.817+0300 [DEBUG] databricks_group.bfr_databricks_groups: applying the planned Create change
2022-10-06T15:20:46.818+0300 [INFO]  provider.terraform-provider-databricks_v1.4.0: Using directly configured basic authentication: timestamp=2022-10-06T15:20:46.817+0300
2022-10-06T15:20:46.818+0300 [INFO]  provider.terraform-provider-databricks_v1.4.0: Configured basic auth: host=, username=, password=***REDACTED***: timestamp=2022-10-06T15:20:46.818+0300
2022-10-06T15:20:46.818+0300 [DEBUG] provider.terraform-provider-databricks_v1.4.0: POST /api/2.0/preview/scim/v2/Groups {
  "displayName": "test",
  "schemas": [
}: timestamp=2022-10-06T15:20:46.818+0300
2022-10-06T15:20:48.283+0300 [DEBUG] provider.terraform-provider-databricks_v1.4.0: 405 Method Not Allowed [non-JSON document of 334 bytes]: timestamp=2022-10-06T15:20:48.283+0300
2022-10-06T15:20:48.283+0300 [WARN]  provider.terraform-provider-databricks_v1.4.0: /api/2.0/preview/scim/v2/Groups:405 - Databricks API (/api/2.0/preview/scim/v2/Groups) requires you to set `host` property (or DATABRICKS_HOST env variable) to result of `databricks_mws_workspaces.this.workspace_url`. This error may happen if you're using provider in both normal and multiworkspace mode. Please refactor your code into different modules. Runnable example that we use for integration testing can be found in this repository at timestamp=2022-10-06T15:20:48.283+0300


The account_id parameter is missing in the Terraform Databricks provider block.


You must add your Databricks account_id to the Terraform Databricks provider block.



You must be an admin user to get your Databricks account ID.

  1. Login to the Databricks account console (AWS | Azure).
  2. Click User Profile.
  3. Look for the Account ID value in the pop-up.

// initialize provider at account-level
provider "databricks" {
  alias      = "mws"
  host       = ""
  account_id = "<databricks-account-id>
  username   = var.databricks_account_username
  password   = var.databricks_account_password

Please review the Terraform databricks_group Resource documentation for more details.