Reputation: 21
Databricks API 2.0 - Can't create KEYVAULT secrets scopes using SPN credentials
I want to create a Secret Scope via the Databricks REST API 2.0.
When I use SPN for az login I have next error when run request /api/2.0/secrets/scopes/create
{"error_code":"CUSTOMER_UNAUTHORIZED","message":"Unable to grant read/list permission to Databricks service principal to KeyVault 'https://dtbrcks-kvxxx.vault.azure.net/': key not found: https://management.core.windows.net/"}%
But when I use User login same code worked fine!
SPN and User have same permissions on Databricks(Owner/Admin) and Keyvault (Owner)resources.
What necessary for make this operation using SPN?
For get access token I use commands
az login --service-principal
access_token=$(az account get-access-token \
--resource 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d \
--query "accessToken" \
--output tsv)
And next code for create Secret Scope with Azure Keyvault:
curl -X POST \-H "Authorization: Bearer $access_token" \
-H 'Content-Type: application/json' \
-d '{"scope":"keyvault-scope","scope_backend_type":"AZURE_KEYVAULT","backend_azure_keyvault":{"resource_id":"/subscriptions/$subid/resourceGroups/$rg/providers/Microsoft.KeyVault/vaults/$kvname","dns_name":"$kv_url"}}' \
"$dtbrcks_url/api/2.0/secrets/scopes/create"
Upvotes: 2
Views: 2168
Answers (1)
Reputation: 42133
If your service principal is the Owner of the databricks workspace, and meets any of the following conditions,
you must provide the X-Databricks-Azure-Workspace-Resource-Id header and a management access token for the Azure Resource Management endpoint when you call the API.
To get the management access token, just change the resource to https://management.core.windows.net.
management_access_token=$(az account get-access-token \
--resource 'https://management.core.windows.net' \
--query "accessToken" \
--output tsv)
Then pass it in the request like this link.
curl -X POST \-H "Authorization: Bearer $access_token" \
-H 'X-Databricks-Azure-SP-Management-Token: <management-access-token>' \
-H 'Content-Type: application/json' \
-d '{"scope":"keyvault-scope","scope_backend_type":"AZURE_KEYVAULT","backend_azure_keyvault":{"resource_id":"/subscriptions/$subid/resourceGroups/$rg/providers/Microsoft.KeyVault/vaults/$kvname","dns_name":"$kv_url"}}' \
"$dtbrcks_url/api/2.0/secrets/scopes/create"
Or you can use Non-admin user login, prior to this login, the service principal must be added to the workspace either as part of the admin user login or using the Add service principal endpoint, then you can use the AAD token to call the API directly.
Upvotes: -1
Related Questions
- Create Azure Key Vault backed secret scope in Databricks with AAD Token
- List databricks secret scope and find referred keyvault in azure databricks
- Databricks API 2.0 - create secret scope in powershell using service principal credentials
- KeyVault -> Databricks automatic integration
- Unable to add key to Azure key-vault backed Databricks scope
- Authorizing Databricks CLI with SPN based Azure AD Token in ADO YML Pipeline throwing Error: Authorization Failed
- Unable to create Azure-keyvault-backed secret scope on Azure Databricks
- Create Scope in Databrick API 2.0 - INVALID_PARAMETER_VALUE
- Creating a Secret Scope in Databricks backed by Azure Key Vault fails
- Databricks API 2.0- Create Secret Scope - TEMPORARILY_UNAVAILABLE