https://community.databricks.com/t5/data-engineering/serverless-compute-adls-gen2-authorization-failure-with-rbac/m-p/140879#M51557 <P><SPAN>We are facing an authorization issue when using <STRONG>serverless compute</STRONG> with ADLS Gen2 storage. Queries fail with:</SPAN></P><DIV><DIV><DIV><SPAN>Code</SPAN></DIV><DIV>&nbsp;</DIV></DIV><DIV class=""><DIV><PRE>AbfsRestOperationException: Operation failed: "This request is not authorized to perform this operation.", 403 AuthorizationFailure</PRE></DIV></DIV></DIV><P><SPAN><STRONG>Details:</STRONG></SPAN></P><UL><LI><P><SPAN><STRONG>Environment:</STRONG> Azure Databricks with Unity Catalog enabled</SPAN></P></LI><LI><P><SPAN><STRONG>Storage:</STRONG> ADLS Gen2, external location configured</SPAN></P></LI><LI><P><SPAN><STRONG>Authentication:</STRONG> Unity Catalog storage credential using Service Principal (not SAS token)</SPAN></P></LI><LI><P><SPAN><STRONG>RBAC:</STRONG> Service Principal has <STRONG>Storage Blob Data Contributor</STRONG> role at the storage account level</SPAN></P></LI><LI><P><SPAN><STRONG>Behavior:</STRONG></SPAN></P><UL><LI><P><SPAN>Queries succeed when using <STRONG>general purpose compute clusters</STRONG></SPAN></P></LI><LI><P><SPAN>Queries fail with 403 when using <STRONG>serverless compute</STRONG></SPAN></P></LI></UL></LI></UL><P><SPAN><STRONG>Steps Tried:</STRONG></SPAN></P><OL><LI><P><SPAN>Verified RBAC role assignment at both account and container level.</SPAN></P></LI><LI><P><SPAN>Confirmed external location is bound to the storage credential.</SPAN></P></LI><LI><P><SPAN>Granted usage on external location to UC groups.</SPAN></P></LI><LI><P><SPAN>Tested access via CLI with the same Service Principal — works fine.</SPAN></P></LI></OL><P><SPAN><STRONG>Request for Help:</STRONG></SPAN></P><UL><LI><P><SPAN>Are there additional RBAC permissions or workspace entitlements required for <STRONG>serverless compute</STRONG> to access ADLS Gen2?</SPAN></P></LI><LI><P><SPAN>Does serverless compute require a different configuration for Unity Catalog storage credentials compared to general compute?</SPAN></P></LI></UL><P><SPAN><STRONG>Impact:</STRONG> We are currently using general compute clusters as a workaround, but need serverless compute enabled for production workloads.</SPAN></P> Tue, 02 Dec 2025 14:41:24 GMT Charansai 2025-12-02T14:41:24Z https://community.databricks.com/t5/data-engineering/serverless-compute-adls-gen2-authorization-failure-with-rbac/m-p/140879#M51557 <P><SPAN>We are facing an authorization issue when using <STRONG>serverless compute</STRONG> with ADLS Gen2 storage. Queries fail with:</SPAN></P><DIV><DIV><DIV><SPAN>Code</SPAN></DIV><DIV>&nbsp;</DIV></DIV><DIV class=""><DIV><PRE>AbfsRestOperationException: Operation failed: "This request is not authorized to perform this operation.", 403 AuthorizationFailure</PRE></DIV></DIV></DIV><P><SPAN><STRONG>Details:</STRONG></SPAN></P><UL><LI><P><SPAN><STRONG>Environment:</STRONG> Azure Databricks with Unity Catalog enabled</SPAN></P></LI><LI><P><SPAN><STRONG>Storage:</STRONG> ADLS Gen2, external location configured</SPAN></P></LI><LI><P><SPAN><STRONG>Authentication:</STRONG> Unity Catalog storage credential using Service Principal (not SAS token)</SPAN></P></LI><LI><P><SPAN><STRONG>RBAC:</STRONG> Service Principal has <STRONG>Storage Blob Data Contributor</STRONG> role at the storage account level</SPAN></P></LI><LI><P><SPAN><STRONG>Behavior:</STRONG></SPAN></P><UL><LI><P><SPAN>Queries succeed when using <STRONG>general purpose compute clusters</STRONG></SPAN></P></LI><LI><P><SPAN>Queries fail with 403 when using <STRONG>serverless compute</STRONG></SPAN></P></LI></UL></LI></UL><P><SPAN><STRONG>Steps Tried:</STRONG></SPAN></P><OL><LI><P><SPAN>Verified RBAC role assignment at both account and container level.</SPAN></P></LI><LI><P><SPAN>Confirmed external location is bound to the storage credential.</SPAN></P></LI><LI><P><SPAN>Granted usage on external location to UC groups.</SPAN></P></LI><LI><P><SPAN>Tested access via CLI with the same Service Principal — works fine.</SPAN></P></LI></OL><P><SPAN><STRONG>Request for Help:</STRONG></SPAN></P><UL><LI><P><SPAN>Are there additional RBAC permissions or workspace entitlements required for <STRONG>serverless compute</STRONG> to access ADLS Gen2?</SPAN></P></LI><LI><P><SPAN>Does serverless compute require a different configuration for Unity Catalog storage credentials compared to general compute?</SPAN></P></LI></UL><P><SPAN><STRONG>Impact:</STRONG> We are currently using general compute clusters as a workaround, but need serverless compute enabled for production workloads.</SPAN></P> Tue, 02 Dec 2025 14:41:24 GMT https://community.databricks.com/t5/data-engineering/serverless-compute-adls-gen2-authorization-failure-with-rbac/m-p/140879#M51557 Charansai 2025-12-02T14:41:24Z https://community.databricks.com/t5/data-engineering/serverless-compute-adls-gen2-authorization-failure-with-rbac/m-p/140882#M51559 <P>private link from serverless, as probably you are not allowing public internet access.&nbsp;<A href="https://learn.microsoft.com/en-gb/azure/databricks/security/network/serverless-network-security/serverless-private-link" target="_blank">Configure private connectivity to Azure resources - Azure Databricks | Microsoft Learn</A>&nbsp;you need to add both dfs and blob</P> Tue, 02 Dec 2025 14:50:49 GMT https://community.databricks.com/t5/data-engineering/serverless-compute-adls-gen2-authorization-failure-with-rbac/m-p/140882#M51559 Hubert-Dudek 2025-12-02T14:50:49Z