[ISSUE] Issue with retrieving credential for account using azure cli "databricks_user" or "databricks_group" at account level

[jordandakota]

Configuration

Info for configuration pasted in steps to produce. Essentially using azuread and databricks to look at a list of users from an azuread group and create them in databricks. Up until 1.49.1 this worked. After it starts failing to retrieve credential using service principal with azure cli.

Expected Behavior

Should retrieve credential and perform as expected, refreshing state and creating any new users and deleting any users that no longer exist in azure ad.

Actual Behavior

Fails to get credential from local cache past version 1.49.1

Steps to Reproduce

1. az cli using service principal with account admin
2. add required providers like
   terraform {
   required_providers {
   databricks = {
   source = "databricks/databricks"
   version = "1.49.1"
   }
   }
3. add provider for account like
   provider "databricks" {
   alias = "azure_account_id"
   host = "accounts.azuredatabricks.net"
   account_id = var.account_id
   auth_type = "azure-cli"
   }
4. add a set of databricks users
   resource "databricks_user" "business_users" {
   provider = databricks.azure_account_id

for_each = toset(data.azuread_group.business_users.members)

user_name = data.azuread_user.business_users[each.value].user_principal_name
display_name = data.azuread_user.business_users[each.value].display_name
active = true
force = true
}
5. fail on refreshing information from account, cannot retrieve credential from local cache.

Terraform and provider versions

Terraform v1.9.6
on windows_amd64

• provider registry.terraform.io/databricks/databricks v1.49.1 (stops working on v1.50 and v1.51)
• provider registry.terraform.io/hashicorp/azuread v2.47.0
• provider registry.terraform.io/hashicorp/azurerm v3.97.0
• provider registry.terraform.io/hashicorp/random v3.6.0
• provider registry.terraform.io/hashicorp/time v0.11.1

Is it a regression?

This works up until 1.49.1, stops working at 1.50

Debug Output

│ Error: cannot read user: failed during request visitor: default auth: azure-cli: cannot get access token: WARNING: Could not retrieve credential from local cache for service principal e0da535f-4aa5-45fd-ad10-0817c932b48c under tenant common. Trying credential under tenant 1e98afad-8153-4889-a48f-60dc77bc87a8, assuming that is an app credential.
│ ERROR: AADSTS50059: No tenant-identifying information found in either the request or implied by any provided credentials. Trace ID: 3e7f0d70-f60c-4276-bbcb-996f4dac2200 Correlation ID: fbb9e0db-dfdc-44f5-95a7-68b18f7d64a6 Timestamp: 2024-10-01 15:50:11Z
│ Interactive authentication is needed. Please run:
│ az login
│ . Config: host=https://accounts.azuredatabricks.net, account_id=..., azure_tenant_id=common

with databricks_user.business_users["e19e3ae5-7d22-44eb-ac2f-282badf9b128"],
│ on sync_ad_business_users.tf line 20, in resource "databricks_user" "business_users":
│ 20: resource "databricks_user" "business_users" {

Important Factoids

Would you like to implement a fix?

[alexott]

Authentication is handled by the Go SDK, so please file an issue there