"User not authorized" error when trying to deploy access connector on Azure

virbickt — Tue, 27 Dec 2022 13:42:55 GMT

Hi,

I have been trying to deploy Access Connector resource on Azure using Azure Pipelines (YAML) and a Bicep template but I cannot find a solution to this error:

ERROR: {"status":"Failed","error":{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"PreconditionFailed","message":"{\r\n  \"error\": {\r\n    \"code\": \"403\",\r\n    \"message\": \"User not authorized.\"\r\n  }\r\n}"}]}}

I have slimmed down the YAML pipeline I am using to deploy the access connector to the minimum:

trigger: none
 
pool:
  vmImage: windows-latest
 
stages:
  - stage: Deploy
    jobs:
    - job:
      displayName: Deploy Access Connector
      steps:
      - task: AzureCLI@2
        displayName: Azure CLI
        inputs:
          azureSubscription: 'tv-service-connection'
          scriptType: pscore
          scriptLocation: inlineScript
          inlineScript: |
            az deployment group create --resource-group devops-development-rg --template-file create-access-connector-2.bicep

where `tv-service-connection` is the name of the service connection, `devops-development-rg` is the name of the resource group and `create-access-connector-2.bicep` is the bicep template. The bicep template I am using is taken from the official documentation with minor modifications:

param location string = resourceGroup().location
 
resource accessConnector 'Microsoft.Databricks/accessConnectors@2022-04-01-preview' = {
  name: 'accessConnectordbtv'
  location: location
  identity: {
    type: 'None'
  }
  properties: {}
}

The things I have tried without any success:

assigning Owner or/and Contributor rights to the service connection on both subscription/resource group level
az login with the details of service connection to run az group deployment with the bicep template (still get the same error)
using Terraform for deployment as per official tutorial
assigning Microsoft Graph API IdentityProvider.ReadWrite.All permission to the service connection as suggested in this post which seems to be the closest to the problem I'm facing.

Any suggestions would be extremely appreciated as I am getting pretty desperate at this point.

Re: "User not authorized" error when trying to deploy access connector on Azure

Aviral-Bhardwaj — Wed, 28 Dec 2022 04:34:21 GMT

The job you are running try to give that user privilege

Re: "User not authorized" error when trying to deploy access connector on Azure

virbickt — Wed, 28 Dec 2022 07:39:06 GMT

Thanks for the suggestion, but I already have Owner privileges on a subscription level assigned to both myself and the service connection used for that job. Any other suggestions?

Re: "User not authorized" error when trying to deploy access connector on Azure

ThomasVanBilsen — Thu, 05 Jan 2023 07:44:21 GMT

Hi,

I fixed this issue by adding the service principal to the list of service principals in the Account Console. My guess is that after the access connector is created an API call is made to the Databricks account and the service principal making that call needs to be known in the Databricks account. In your case, my guess is that the service principal is not yet registered there.

topic "User not authorized" error when trying to deploy access connector on Azure in Data Engineering

"User not authorized" error when trying to deploy access connector on Azure

Re: "User not authorized" error when trying to deploy access connector on Azure

Re: "User not authorized" error when trying to deploy access connector on Azure

Re: "User not authorized" error when trying to deploy access connector on Azure