Permissions deployments fail with "The job must have exactly one owner." error #4466
Description
Describe the issue
When deploying DAB using the Databricks CLI on development mode using Service Principal, the deployment fails with the error:
Uploading bundle files to /Workspace/Users/***/.bundle/development/solutions_bundle/files...
Deploying resources...
Error: terraform apply: exit status 1
Error: cannot create permissions: The job must have exactly one owner.
with databricks_permissions.job_Job1,
on bundle.tf.json line 69, in resource.databricks_permissions.job_Job1:
69: },
Error: cannot create permissions: The pipeline must have exactly one owner.
with databricks_permissions.pipeline_Pipeline1,
on bundle.tf.json line 86, in resource.databricks_permissions.pipeline_Pipeline1:
86: }
I have two separate bundles deployed to two different workspaces. Each workspace uses a different Service Principal.
My top-level permissions configuration assigns CAN_MANAGE to the SPN.
permissions:
- service_principal_name: ${var.service_principal_id}
level: CAN_MANAGE
Additionally, inside the development target, I grant CAN_MANAGE to current_user (to eliminate warnings when deploying bundle locally).
targets:
development:
mode: development
default: true
workspace:
host: https://adb-XXXXXXXX.XX.azuredatabricks.net
root_path: /Workspace/Users/${workspace.current_user.userName}/.bundle/${bundle.target}/${bundle.name}
permissions:
- user_name: ${workspace.current_user.userName}
level: CAN_MANAGE
On Workspace A this setup works correctly, deploys many jobs, pipelines, dashboard etc.
On Workspace B, the same configuration fails with the error “The job must have exactly one owner.” during deploys permissions for resources.
I would expect identical behavior across workspaces when using the same configuration.
Configuration
We use Databricks in Azure. In my setup, I have PR validation pipeline (Azure DevOps) deploys the bundle in development mode using Microsoft Entra ID service principal to validate bundle before deploy to environment in production mode (before complete PR). After deploying in development mode, bundle is destroyed.
Steps to reproduce the behavior
- Configure the DAB with top‑level permissions assigning CAN_MANAGE to a Service Principal.
- In the targets.development section, assign additional CAN_MANAGE permissions to ${workspace.current_user.userName}.
- Trigger deployment as SPN.
- Run:
databricks bundle deploy -t development
Expected Behavior
The deployment should succeed, assigning ownership/permissions according to the defined YAML, just like it does on Workspace A.
Actual Behavior
Deployment fails on Workspace B with the error “The job must have exactly one owner.”, even though the configuration and deployment process are identical to Workspace A.
OS and CLI version
The error is observed on Windows Server (Azure Devops Self-Agent) with Databricks CLI 0.287.0.