topic Re: Cannot create storage credential without Contributor role in Data Engineering

Cannot create storage credential without Contributor role

maikelos272 — Tue, 16 Jan 2024 10:03:28 GMT

Hello,

I am trying to create a Storage Credential. I have created the access connector and gave the managed identity "Storage Blob Data Owner" permissions. However when I want to create a storage credential I get the following error:

Creating a storage credential requires the contributor role over the corresponding access connector with ID
/subscriptions/655a2f34-****-****-b77d-f45e70210122/resourceGroups/sub-name/providers/Microsoft.Databricks/accessConnectors/connector-name. 
Please contact your account admin.

The problem is that in my organization I cannot get a Contributor role, furthermore I'm not even sure if it is required. I have done some further tests with a service principal and I get the following error when calling an API to get the storage credentials created:

databricks --log-level DEBUG --profile VNXSPT storage-credentials create --json '@.\storage-cred-vnx.json'
...
 "error_code": "RESOURCE_DOES_NOT_EXIST",
 "message": "Refresh token not found for userId: Some(4295475011008721)"
...

The above also doesn't work but in another environment I have tested this it worked without the SP having a contributor role on the access connector. How can I make this work with the contributor role?

Re: Cannot create storage credential without Contributor role

maikelos272 — Thu, 18 Jan 2024 17:03:25 GMT

I have added the Contributor role to my Service principal and I still get the same error. I tried multiple auth options and multiple clients, including sending a request to the API itself. I know the token is correct as other API endpoints work just fine. Could you guys help?

Re: Cannot create storage credential without Contributor role

RTabur — Tue, 12 Mar 2024 19:42:09 GMT

Hi @maikelos272,

Did you manage to solve the problem? I have the same headache here...

I get the same error while trying to create the storage credentials. When I'm using my user token the credentials are successfully created but not with the SPN's token. The permissions are the same for me and the SPN.

Re: Cannot create storage credential without Contributor role

Kim3 — Tue, 02 Apr 2024 12:14:51 GMT

Hi @Retired_mod

Can you elaborate on the error "Refresh token not found for userId"?

I have exactly the same problem as described in this thread. I am trying to create a storage credential using a Personal Access Token from a Service Principal. This results in 404 with the response body:

{ "error_code": "RESOURCE_DOES_NOT_EXIST", "message": "Refresh token not found for userId: Some(2302042022180399)", "details": [ { "@type": "type.googleapis.com/google.rpc.RequestInfo", "request_id": "d731471b-b6b8-41a9-bf77-993529733668", "serving_data": "" } ] }

When I use a Personal Access Token from my own user, the storage credential is created without error. Both the Service Principal and I have admin rights in Databricks and the Service Principal is Contributor on the Subscription.

Re: Cannot create storage credential without Contributor role

subhash_1692 — Thu, 24 Oct 2024 14:25:06 GMT

Did someone find a solution?

{
	"error_code": "RESOURCE_DOES_NOT_EXIST",
	"message": "Refresh token not found for userId: Some(2302042022180399)",
	"details": [
		{
			"@type": "type.googleapis.com/google.rpc.RequestInfo",
			"request_id": "d731471b-b6b8-41a9-bf77-993529733668",
			"serving_data": ""
		}
	]
}

I am Also getting the same error which is giving me headache..

Re: Cannot create storage credential without Contributor role

RTabur — Thu, 31 Oct 2024 13:18:30 GMT

I don't remember exactly how I solved this issue but I think I've added the following permissions on the metastore for the SPN through the Databricks API (you may not need all of them): CREATE_CATALOG, CREATE_CONNECTION, CREATE_EXTERNAL_LOCATION, CREATE_PROVIDER, CREATE_RECIPIENT, CREATE_SHARE, CREATE_STORAGE_CREDENTIAL

Please confirm if this solves your issue.