From 7d70b361b4774428f6118bfc84bc7015bb193bdb Mon Sep 17 00:00:00 2001
From: Shreyas Goenka <shreyas.goenka@databricks.com>
Date: Fri, 1 May 2026 12:23:41 +0200
Subject: [PATCH] acceptance: fix vector_search_endpoint permissions config to
 use existing principal
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The invariant test config used "user_name: viewer@example.com", which
doesn't exist in the cloud workspaces. The Permissions Set API silently
drops the unknown user, so a Read after deploy returns an ACL without
that entry — the no_drift invariant then sees a phantom update and the
test fails on aws-prod-ucws.

Use "group_name: users" (the always-present users group) to match the
pattern in every other *_with_permissions invariant config (jobs, models,
secret scopes). Verified that the no_drift variant now passes on
aws-prod-ucws.

Co-authored-by: Isaac
---
 .../bundle/invariant/configs/vector_search_endpoint.yml.tmpl    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/acceptance/bundle/invariant/configs/vector_search_endpoint.yml.tmpl b/acceptance/bundle/invariant/configs/vector_search_endpoint.yml.tmpl
index 1befb4e157e..cea1a4d026c 100644
--- a/acceptance/bundle/invariant/configs/vector_search_endpoint.yml.tmpl
+++ b/acceptance/bundle/invariant/configs/vector_search_endpoint.yml.tmpl
@@ -12,4 +12,4 @@ resources:
       endpoint_type: STANDARD
       permissions:
         - level: CAN_USE
-          user_name: viewer@example.com
+          group_name: users