Databricks API 2.0 - Can't create KEYVAULT secrets scopes using SPN credentials RRS feed

  • Question

  • I want to create a Secret Scope via the Databricks REST API 2.0.

    When I use SPN for az login I have next error when run request /api/2.0/secrets/scopes/create

    {"error_code":"CUSTOMER_UNAUTHORIZED","message":"Unable to grant read/list permission to Databricks service principal to KeyVault '': key not found:"}% 

    But when I use User login same code worked fine!

    SPN and User have same permissions on Databricks(Owner/Admin) and Keyvault (Owner)resources.

    What necessary for make this operation using SPN?

    For get access token I use commands

    az login --service-principal
    access_token=$(az account get-access-token \
                       --resource 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d \
                       --query "accessToken" \
                       --output tsv)

    And next code for create Secret Scope with Azure Keyvault:

    curl -X POST \-H "Authorization: Bearer $access_token" \ -H 'Content-Type: application/json' \ -d '{"scope":"keyvault-scope","scope_backend_type":"AZURE_KEYVAULT","backend_azure_keyvault":{"resource_id":"/subscriptions/$subid/resourceGroups/$rg/providers/Microsoft.KeyVault/vaults/$kvname","dns_name":"$kv_url"}}' \ "$dtbrcks_url/api/2.0/secrets/scopes/create"

    Additional info:

    When I use X-Databricks-Azure-SP-Management-Token it doesn't work with fault {"error_code":"INTERNAL_ERROR","message":"Internal error happened while granting read/list permission to Databricks service principal to KeyVault:"}

    But when I try to use Databricks Personal access token I got next interesting api response: {"error_code":"INVALID_PARAMETER_VALUE","message":"Scope with Azure KeyVault must have userAADToken defined!"}.

    It mean I can use only userAADToken !!! - Why ? 

    Thursday, November 19, 2020 12:28 PM