bundle deploy fails with "must have exactly one owner" when using direct deployment engine

[IP4-AA]

Describe the issue

When deploying bundles using the direct deployment engine, bundle deploy fails with HTTP 400 for jobs and pipelines that have a permissions block defined. The direct engine sends a PUT request to the Permissions API without a valid IS_OWNER entry, which the API rejects. The Terraform engine handled this implicitly by setting the deploying principal as owner automatically.

There is no workaround: IS_OWNER is not a valid permission level in the bundle permissions schema (allowed values: [CAN_MANAGE, CAN_VIEW, CAN_RUN]), so the owner cannot be set explicitly in the configuration.

Configuration

bundle:
  name: my-bundle
  engine: direct

run_as:
  service_principal_name: ${var.run_as_user_id}

resources:
  pipelines:
    my-pipeline:
      permissions:
        - level: CAN_MANAGE
          service_principal_name: ${var.run_as_user_id}
  jobs:
    my-job:
      permissions:
        - level: CAN_MANAGE
          service_principal_name: ${var.run_as_user_id}

var.run_as_user_id is injected via the BUNDLE_VAR_run_as_user_id environment variable in CI/CD. The deploying principal is a separate service principal set via DATABRICKS_CLIENT_ID — it does not appear in the bundle configuration at all.

Steps to reproduce the behavior

1. Configure a bundle with bundle.engine: direct
2. Set a run_as service principal via BUNDLE_VAR_run_as_user_id
3. Define permissions on pipelines and/or jobs
4. Deploy via databricks bundle deploy --target <target>
5. See error

Expected Behavior

The direct engine sets the deploying principal (DATABRICKS_CLIENT_ID) as IS_OWNER implicitly, consistent with the behavior of the Terraform engine. No explicit owner definition should be required in the bundle configuration.

Actual Behavior

Error: cannot create resources.pipelines.raw_data_view.permissions: The pipeline must have exactly one owner. (400 INVALID_PARAMETER_VALUE)
Endpoint: PUT https://<host>/api/2.0/permissions/pipelines/<id>
API message: The pipeline must have exactly one owner.

Error: cannot create resources.pipelines.raw_data_table.permissions: The pipeline must have exactly one owner. (400 INVALID_PARAMETER_VALUE)
Endpoint: PUT https://<host>/api/2.0/permissions/pipelines/<id>
API message: The pipeline must have exactly one owner.

Error: cannot create resources.jobs.delta_importer.permissions: The job must have exactly one owner. (400 INVALID_PARAMETER_VALUE)
Endpoint: PUT https://<host>/api/2.0/permissions/jobs/<id>
API message: The job must have exactly one owner.

Attempting to add IS_OWNER explicitly as a workaround results in a validation error at plan time:

Error: invalid permission level: IS_OWNER, allowed values: [CAN_MANAGE, CAN_VIEW, CAN_RUN]

There is therefore no available workaround.

OS and CLI version

• Databricks CLI: v1.4.0
• OS: RHEL Linux (GitLab CI shell executor)
• Cloud: Azure Databricks

Is this a regression?

Yes. The same bundle configuration deployed successfully with the Terraform engine. The issue only occurs after migrating to the direct engine (bundle.engine: direct).

Detailed plan

Will be added after redaction if required by maintainers.

Debug Logs

Will be added after redaction if required by maintainers.

---

Related issues: #4466, #3849