https://community.databricks.com/t5/get-started-discussions/mounting-adls-gen2-from-databricks-rbac-issue/m-p/45201#M5826 <P>&nbsp;</P><P>I am trying to mount my Gen 2 storage account in databricks. I have added permission of Storage blob data contributor to the storage account. But I am getting below error:<BR />Invalid permissions on the specified KeyVault <A href="https://kvmigrationnew.vault.azure.net/" target="_blank">https://kvmigrationnew.vault.azure.net/</A>. Wrapped Message: Status code 403, {"error":{"code":"Forbidden","message":"Caller is not authorized to perform action on resource.\r\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\r\nCaller: name=AzureDatabricks;appid=123abcdbhjdllajddaddd;iss=<A href="https://sts.windows.net/984433r41f5ssadfgfsf/\" target="_blank">https://sts.windows.net/984433r41f5ssadfgfsf/\</A>r\nAction: 'Microsoft.KeyVault/vaults/secrets/getSecret/action'\r\nResource: '/subscriptions/xxxx-xxx-xxx/resourcegroups/rsggen2demo/providers/microsoft.keyvault/vaults/kvmigrationnew/secrets/clientid'\r\nAssignment: (not found)\r\nDecisionReason: 'DeniedWithNoValidRBAC' \r\nVault: kvmigrationnew;location=eastus2\r\n","innererror":{"code":"ForbiddenByRbac"}}}<BR />------------------------------------<BR />Configuration<BR />---------------<BR />Resource group: rsggen2demo<BR />Storage acc name: stggen2demo<BR />Keyvault: kvmigrationnew<BR />DB Scope: gen2mig<BR /><BR />Code:<BR />adlsAccountName = "stggen2demo"<BR />adlsContainerName = "output"<BR />adlsFolderName = "schemas_new"<BR />mountPoint = "/mnt/schemas_new"<BR /><BR /># Application (Client) ID<BR />applicationId = dbutils.secrets.get(scope="gen2mig",key="ClientID")<BR /><BR /># Application (Client) Secret Key<BR />authenticationKey = dbutils.secrets.get(scope="gen2mig",key="ClientSecret")<BR /><BR /># Directory (Tenant) ID<BR />tenandId = dbutils.secrets.get(scope="gen2mig",key="TenantID")<BR /><BR />endpoint = "<A href="https://login.microsoftonline.com/" target="_blank">https://login.microsoftonline.com/</A>" + tenandId + "/oauth2/token"<BR />source = "abfss://" + adlsContainerName + "@" + adlsAccountName + ".dfs.core.windows.net/" + adlsFolderName<BR /><BR /># Connecting using Service Principal secrets and OAuth<BR />configs = {"fs.azure.account.auth.type": "OAuth",<BR />"fs.azure.account.oauth.provider.type": "org.apache.hadoop.fs.azurebfs.oauth2.ClientCredsTokenProvider",<BR />"fs.azure.account.oauth2.client.id": applicationId,<BR />"fs.azure.account.oauth2.client.secret": authenticationKey,<BR />"fs.azure.account.oauth2.client.endpoint": endpoint}<BR /><BR /># Mount ADLS Storage to DBFS only if the directory is not already mounted<BR />if not any(mount.mountPoint == mountPoint for mount in dbutils.fs.mounts()):<BR />dbutils.fs.mount(<BR />source = source,<BR />mount_point = mountPoint,<BR />extra_configs = configs)<BR /><BR /><BR /><BR /><BR /></P><P>&nbsp;</P> Mon, 18 Sep 2023 05:29:53 GMT keer1392 2023-09-18T05:29:53Z https://community.databricks.com/t5/get-started-discussions/mounting-adls-gen2-from-databricks-rbac-issue/m-p/45201#M5826 <P>&nbsp;</P><P>I am trying to mount my Gen 2 storage account in databricks. I have added permission of Storage blob data contributor to the storage account. But I am getting below error:<BR />Invalid permissions on the specified KeyVault <A href="https://kvmigrationnew.vault.azure.net/" target="_blank">https://kvmigrationnew.vault.azure.net/</A>. Wrapped Message: Status code 403, {"error":{"code":"Forbidden","message":"Caller is not authorized to perform action on resource.\r\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\r\nCaller: name=AzureDatabricks;appid=123abcdbhjdllajddaddd;iss=<A href="https://sts.windows.net/984433r41f5ssadfgfsf/\" target="_blank">https://sts.windows.net/984433r41f5ssadfgfsf/\</A>r\nAction: 'Microsoft.KeyVault/vaults/secrets/getSecret/action'\r\nResource: '/subscriptions/xxxx-xxx-xxx/resourcegroups/rsggen2demo/providers/microsoft.keyvault/vaults/kvmigrationnew/secrets/clientid'\r\nAssignment: (not found)\r\nDecisionReason: 'DeniedWithNoValidRBAC' \r\nVault: kvmigrationnew;location=eastus2\r\n","innererror":{"code":"ForbiddenByRbac"}}}<BR />------------------------------------<BR />Configuration<BR />---------------<BR />Resource group: rsggen2demo<BR />Storage acc name: stggen2demo<BR />Keyvault: kvmigrationnew<BR />DB Scope: gen2mig<BR /><BR />Code:<BR />adlsAccountName = "stggen2demo"<BR />adlsContainerName = "output"<BR />adlsFolderName = "schemas_new"<BR />mountPoint = "/mnt/schemas_new"<BR /><BR /># Application (Client) ID<BR />applicationId = dbutils.secrets.get(scope="gen2mig",key="ClientID")<BR /><BR /># Application (Client) Secret Key<BR />authenticationKey = dbutils.secrets.get(scope="gen2mig",key="ClientSecret")<BR /><BR /># Directory (Tenant) ID<BR />tenandId = dbutils.secrets.get(scope="gen2mig",key="TenantID")<BR /><BR />endpoint = "<A href="https://login.microsoftonline.com/" target="_blank">https://login.microsoftonline.com/</A>" + tenandId + "/oauth2/token"<BR />source = "abfss://" + adlsContainerName + "@" + adlsAccountName + ".dfs.core.windows.net/" + adlsFolderName<BR /><BR /># Connecting using Service Principal secrets and OAuth<BR />configs = {"fs.azure.account.auth.type": "OAuth",<BR />"fs.azure.account.oauth.provider.type": "org.apache.hadoop.fs.azurebfs.oauth2.ClientCredsTokenProvider",<BR />"fs.azure.account.oauth2.client.id": applicationId,<BR />"fs.azure.account.oauth2.client.secret": authenticationKey,<BR />"fs.azure.account.oauth2.client.endpoint": endpoint}<BR /><BR /># Mount ADLS Storage to DBFS only if the directory is not already mounted<BR />if not any(mount.mountPoint == mountPoint for mount in dbutils.fs.mounts()):<BR />dbutils.fs.mount(<BR />source = source,<BR />mount_point = mountPoint,<BR />extra_configs = configs)<BR /><BR /><BR /><BR /><BR /></P><P>&nbsp;</P> Mon, 18 Sep 2023 05:29:53 GMT https://community.databricks.com/t5/get-started-discussions/mounting-adls-gen2-from-databricks-rbac-issue/m-p/45201#M5826 keer1392 2023-09-18T05:29:53Z