https://community.databricks.com/t5/data-engineering/attach-instance-profile-to-service-principal/m-p/12791#M7553 <P>Hi, Could you please check if these were followed:</P><P><A href="https://docs.databricks.com/administration-guide/users-groups/service-principals.html" target="test_blank">https://docs.databricks.com/administration-guide/users-groups/service-principals.html</A></P><P><A href="https://docs.databricks.com/aws/iam/instance-profile-tutorial.html" target="test_blank">https://docs.databricks.com/aws/iam/instance-profile-tutorial.html</A></P><P><A href="https://docs.databricks.com/aws/iam/manage-instance-profiles.html" target="test_blank">https://docs.databricks.com/aws/iam/manage-instance-profiles.html</A></P><P></P><P>Please let us know if this helps. </P> Wed, 11 Jan 2023 22:38:25 GMT Debayan 2023-01-11T22:38:25Z https://community.databricks.com/t5/data-engineering/attach-instance-profile-to-service-principal/m-p/12790#M7552 <P>Hey Guys, </P><P></P><P>I'm having some permission issues using service principal and instance profile and i hope you could help me.</P><P></P><P>I created a service principal and attached to it an instance profile - databricks-my-profile.</P><P></P><P>I have a s3 bucket with policy that allow read/write only to service principal databricks-my-profile. this bucket has been mount into dbfs.</P><P></P><P>I have a cluster with databricks-my-profile instance profile.</P><P></P><P>While im able to read &amp; write into this s3 bucket from databricks environment( from notebooks, jobs) which is good since the cluster have an instance profile that fits with the s3 bucket restrictions, I can't read &amp; write data from this bucket using my service principal but i can see in its roles that databricks-my-profile exists for this specific sp.</P><P></P><P>I tried to copy files into the bucket using databricks cli and with the sp token and got an error.</P><P></P><P>Command use to upload files:</P><PRE><CODE>databricks fs ls dbfs:/mnt/my_mounted_bucket --profile my-service-principal</CODE></PRE><P>Error i get after runnnig the command:</P><PRE><CODE>Error: Authorization failed. Your token may be expired or lack the valid scope</CODE></PRE><P></P><P>Does some one have any idea why this is failing? or how i should debug this issue? </P><P>I check the s3 bucket policy and the restriction are only on instance profile - so this don't happening because ip restrictions or something like this.</P><P></P><P>Hope you can help me.</P><P>Thanks!</P> Tue, 10 Jan 2023 16:05:09 GMT https://community.databricks.com/t5/data-engineering/attach-instance-profile-to-service-principal/m-p/12790#M7552 Orianh 2023-01-10T16:05:09Z https://community.databricks.com/t5/data-engineering/attach-instance-profile-to-service-principal/m-p/12793#M7555 <P>Hey @Kaniz Fatma​&nbsp;, @Debayan Mukherjee​, </P><P></P><P>Thanks for your answers.</P><P></P><P>Actually, Databricks is not support using DBFS API with service principal &amp; attached instance profile on a mounted s3 bucket.</P><P></P><P>I'm not sure if this exists in docs (might miss it) but this info can be achieved using debug flag (--debug) on the cli command that i specified...</P><P></P><P></P><P></P> Tue, 17 Jan 2023 09:40:55 GMT https://community.databricks.com/t5/data-engineering/attach-instance-profile-to-service-principal/m-p/12793#M7555 Orianh 2023-01-17T09:40:55Z https://community.databricks.com/t5/data-engineering/attach-instance-profile-to-service-principal/m-p/12791#M7553 <P>Hi, Could you please check if these were followed:</P><P><A href="https://docs.databricks.com/administration-guide/users-groups/service-principals.html" target="test_blank">https://docs.databricks.com/administration-guide/users-groups/service-principals.html</A></P><P><A href="https://docs.databricks.com/aws/iam/instance-profile-tutorial.html" target="test_blank">https://docs.databricks.com/aws/iam/instance-profile-tutorial.html</A></P><P><A href="https://docs.databricks.com/aws/iam/manage-instance-profiles.html" target="test_blank">https://docs.databricks.com/aws/iam/manage-instance-profiles.html</A></P><P></P><P>Please let us know if this helps. </P> Wed, 11 Jan 2023 22:38:25 GMT https://community.databricks.com/t5/data-engineering/attach-instance-profile-to-service-principal/m-p/12791#M7553 Debayan 2023-01-11T22:38:25Z