topic Re: Lakebase login via REST for a service principal in Lakebase Discussions

Lakebase login via REST for a service principal

_Lilith — Fri, 24 Apr 2026 10:40:37 GMT

Hi all,

I’m trying to set up REST-based communication between my Lakebase and a REST-client.

I’m following the documentation “Connecting to Lakebase via REST using a service principal” to obtain a workspace-level token. After that, I use the Lakebase Data API to authenticate against Lakebase and create/configure my user.

However, I’m running into a 403 error with the message:

Permission denied to set role {SP client ID}

My assumption is that this happens because I can’t grant the authenticator role to a service principal.

Does this mean that using user-based OAuth or username/password authentication is the only way to access Lakebase via REST? Neither of these options seems very secure to me.
Or am I missing a supported approach for service principals here?

Thanks in advance!

Re: Lakebase login via REST for a service principal

szymon_dybczak — Fri, 24 Apr 2026 12:00:15 GMT

Hi ,

You need to assing a proper role for your Service Principal. Go to:

Roles & Databases > Add role > OAuth tab, select the service principal to grant database access to.
After creating the role, you need to also grant permissons

Both those steps are well described at below docs:

Adding role: Lakebase Data API | Databricks on AWS

Grant permissions: Lakebase Data API | Databricks on AWS

If my answer was helpful, please consider marking it as accepted solution.

Re: Lakebase login via REST for a service principal

_Lilith — Fri, 24 Apr 2026 12:25:55 GMT

Thanks for your reply.

These are the steps that I have also followed and had linked to in my question.

When granting permissions, the first line of the documentation fails when I use a service principal

-- Allow authenticator to assume the identity of the user GRANT "{service principal user ID}" TO authenticator;

ERROR: permission denied to grant role "{service principal user ID}" (SQLSTATE 42501)

Re: Lakebase login via REST for a service principal

balajij8 — Fri, 24 Apr 2026 13:06:24 GMT

You can change the code to use the client application ID (UUID) of the service principal as the identity name and run it.

GRANT "UUID" TO authenticator;

Re: Lakebase login via REST for a service principal

_Lilith — Fri, 24 Apr 2026 14:12:25 GMT

That is what I am using. Taking the example of the documentation what I do first is:

1- Create a service principal in the workspace

2- Add the service principal as a user in lakebase, using service principals Application ID

SELECT databricks_create_role('8c01cfb1-62c9-4a09-88a8-e195f4b01b08', 'SERVICE_PRINCIPAL');

3- I get the mentioned error at the first step of giving permissions in the SQL editor:

-- Allow authenticator to assume the identity of the user GRANT "8c01cfb1-62c9-4a09-88a8-e195f4b01b08" TO authenticator;

ERROR: permission denied to grant role "8c01cfb1-62c9-4a09-88a8-e195f4b01b08" (SQLSTATE 42501)

Re: Lakebase login via REST for a service principal

balajij8 — Fri, 24 Apr 2026 15:33:05 GMT

It's failing due to insufficient privileges. Can you check that you have 'Can Manage' access under Project Permissions in the Lake base project? If you have 'Can Use' access, you can ask for 'Can Manage' access or you can ask the admin to run the GRANT sequence to initialize the Service Principal

Re: Lakebase login via REST for a service principal

_Lilith — Fri, 24 Apr 2026 19:42:38 GMT

I created a new Lakebase project to retrace all my steps.

0- I reused my service principal on the workspace

1- installed databricks authentication extension:

CREATE EXTENSION IF NOT EXISTS databricks_auth;

2-Added the lakehouse service principal to the lakebase project

SELECT databricks_create_role('{UUID}', 'SERVICE_PRINCIPAL');

3- Enabled Data API to get authenticator user created

4- Finally granted authenticator role to the service principal

GRANT "{UUID}" TO authenticator;

And this time it worked. I do not understand what the difference is to last time, maybe my authenticator user was somehow corrupted.

Thank you @balajij8 & @szymon_dybczak for your answers and suggestions