topic Re: Service principal’s Microsoft Entra ID access token returns 400 when calling Databricks REST API in Data Engineering

Service principal’s Microsoft Entra ID access token returns 400 when calling Databricks REST API

WTW-DBrat — Mon, 17 Jun 2024 15:07:25 GMT

I'm using the following to call a Databricks REST API. When I use a PAT for access_token, everything works fine. When I use a Microsoft Entra ID access token, the response returns 400. The service principal has access to the workspace and is part of the workspace admin group. The call to the token api is successful and returns a token. According to the documentation, the Microsoft Entra ID access token should work with the Databricks REST API. What am I doing wrong?

import requests import json tenant_id = dbutils.secrets.get("IMDL_AKV", "tenant-id") client_id = dbutils.secrets.get("IMDL_AKV", "sp-id") client_secret = dbutils.secrets.get("IMDL_AKV", "sp-secret") url = f"https://login.microsoftonline.com/{tenant_id}/oauth2/token" headers = {'Content-Type': 'application/x-www-form-urlencoded'} data = { 'client_id': client_id, 'grant_type': 'client_credentials', 'scope': 'https://graph.microsoft.com/.default', 'client_secret': client_secret } response = requests.post(url, headers=headers, data=data) responseJson = json.loads(response.text) access_token = response.json().get('access_token') databricksURL = dbutils.notebook.entry_point.getDbutils().notebook().getContext().apiUrl().getOrElse(None) #print(access_token) header = {'Authorization': 'Bearer {}'.format(access_token)} endpoint = '/api/2.1/unity-catalog/catalogs/test_dev' payload = json.dumps({ "isolation_mode": "ISOLATED"}) resp = requests.patch( databricksURL + endpoint, data=payload, headers=header ) print(resp) responseJson = json.loads(resp.text) print(responseJson)

Re: Service principal’s Microsoft Entra ID access token returns 400 when calling Databricks REST API

Jag — Mon, 17 Jun 2024 18:55:57 GMT

hello, Try to print the repose and see are you table to see the access_token in the payload else looks like access issue.
Try to go to the workspace setting and grant token access permission to the service principle.

Workspace > Setting

Re: Service principal’s Microsoft Entra ID access token returns 400 when calling Databricks REST API

WTW-DBrat — Mon, 17 Jun 2024 19:13:07 GMT

Yes, I can see the access_token returned from the token api. The only return I get from the Databricks catalogs API is <Response [400]>. The service principal is a member of an account group that is a member of workspace admin which inherits Can Manage on PAT. I tried explicitly granted the service principal Can Use token permissions but still get the same results.