Failed credential validation checks error with Terraform

You get a 'Failed credential validation checks' error message when using Terraform to deploy a Databricks workspace in AWS.

Written by Cedric Law

Last published at: August 16th, 2022

Problem

You are using Terraform to deploy a workspace in AWS and you get a Failed credential validation checks error message.

│ Error: MALFORMED_REQUEST: Failed credential validation checks: please use a valid cross account IAM role with permissions setup correctly 
│ 
│   with databricks_mws_credentials.this,
│   on cross-account-role.tf line 29, in resource "databricks_mws_credentials" "this":
│   29: resource "databricks_mws_credentials" "this" {
│

Cause

This issue can occur due to a race condition when the cross-account role configuration is applied by Terraform. If you re-run terraform apply after getting the Failed credential validation checks error, the operation is successful and does not result in an error message.

Solution

You should add an artificial delay as a dependency for the cross-account role configuration. This prevents the race condition from occurring when using Terraform.

  1. In this example cross-account role configuration file, timesleep.wait has been added as a dependency.
    // cross-account-role.tf
    
    // Properly configure the cross-account role for the creation of new workspaces within your AWS account.
    // See https://registry.terraform.io/providers/databrickslabs/databricks/latest/docs/resources/mws_credentials
    
    resource "databricks_mws_credentials" "this" {
      provider         = databricks.mws
      account_id       = var.databricks_account_id
      role_arn         = aws_iam_role.cross_account_role.arn
      credentials_name = "${local.prefix}-creds"
      depends_on = [
        timesleep.wait
      ]
    }
    
    
  2. The duration of the delay is set to 10 seconds. You can adjust the delay length as needed.
    resource "time_sleep" "wait" {
      depends_on = [
        aws_iam_role.cross_account_role
      ]
      create_duration = "10s"
    }
  3. Save the updated cross-account role configuration file.
  4. Run terraform init.
  5. Run terraform apply.

After the artificial delay has been added to the cross-account role configuration you can resume normal deployments with Terraform.

Review the Terraform time_sleep documentation for more information.

You can also review the Databricks Terraform documentation.