[ISSUE] Issue with databricks_provider resource when using a Guest user from another tenant: iss claim

[ralphkootker]

When working with Azure Databricks, it's often the case people are invited as Guest users and as a Guest perform work on somebody else's Azure Account.

In this case, we work with the following provider and auth via the azure-cli.
Executing user belong to ORG A but the implementation takes place on Azure account of ORG B. Both make use of EntraID and the User from ORG A is added as a Guest to ORG B

Configuration

provider "databricks" {
  alias      = "accounts" 
  host       = "https://accounts.azuredatabricks.net"
  account_id    = "xxxxx-xxxxx-xxxx"
  auth_type  = "azure-cli" 
}

Error

The error thrown is:

Error: cannot create metastore assignment: io.jsonwebtoken.IncorrectClaimException: Expected iss claim to be:
https://sts.windows.net/tenant_id_of_orgB/, but was: https://sts.windows.net/tenant_id_of_orgA/
17:16:58.279 STDERR terraform: │ with databricks_metastore_assignment.this,
17:16:58.280 STDERR terraform: │ on adb_workspace.tf line 121, in resource "databricks_metastore_assignment" "this":

Workaround

I ended up setting the azure_tenant_id in the provider as the tenant wasn't wasn't taken over when running az login --tenant xxxxx

provider "databricks" {
  alias      = "accounts" 
  host       = "https://accounts.azuredatabricks.net"
  account_id    = "xxxxx-xxxxx-xxxx"
  auth_type  = "azure-cli" 
  azure_tenant_id    = "xxxxx-xxxxx-xxxx"
}