Databricks

kinsun · ‎04-27-2023

Dear Databricks Expert

I am trying to get a key which is stored in the Azure Key Vault, using Azure Key Vault Keys client library for Python. However error was met.

Python Code:

#

from azure.identity import DefaultAzureCredential

from azure.identity import ClientSecretCredential

from azure.keyvault.keys import KeyClient

credential = ClientSecretCredential(tenant_id='***',

client_id='YYY',

client_secret='ZZZ'

)

key_client = KeyClient(vault_url="https://AAA.vault.azure.net", credential = credential)

keys = key_client.list_properties_of_keys()

for key in keys:

print(key.name)

Error:

HttpResponseError: (Forbidden) The user, group or application 'appid=MASK;oid=MASK;iss=MASK' does not have keys list permission on key vault 'MASK;location=MASK'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287

Code: Forbidden

Message: The user, group or application 'appid=MASK;oid=MASK;iss=MASK' does not have keys list permission on key vault 'MASK;location=MASK'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287

Inner error: {

"code": "AccessDenied"

}

More information:

01: Managed Identity is Azure Access Connector for Databricks

02: Tenant ID, Client ID and Client Secret should be correct. This is because with the setting I am able to retrieve Secrets stored in the same Azure Key Vault and access the contents in Azure Storage Account

spark.conf.set("fs.azure.account.auth.type", "OAuth")

spark.conf.set("fs.azure.account.oauth.provider.type", "org.apache.hadoop.fs.azurebfs.oauth2.ClientCredsTokenProvider")

spark.conf.set("fs.azure.account.oauth2.client.id", "***")

spark.conf.set("fs.azure.account.oauth2.client.secret", "YYY")

spark.conf.set("fs.azure.account.oauth2.client.endpoint", "https://login.microsoftonline.com/99e838ef-4ec1-4ce2-9229-2efbb56fb03c/oauth2/token")

03: Key permissions in the access policies for the Access Connector is FULL

04: The Databricks Workspace and the Azure Key Vault are in the same subnet

05: Key Vault's IAM. Key Vault Crypto Officer and Contributor. Yet I don't think it is highly related.

Might I have advices from the experts on how to solve this issue? Thanks a lot!!!

Anonymous · ‎04-28-2023

@KS LAU :

It seems that the error message is indicating that the user, group, or application that you are using does not have permission to list the keys in the Azure Key Vault.

You mentioned that you were able to retrieve secrets stored in the same Azure Key Vault, but are facing issues only with listing the keys. This could be because the access policies for the Azure Key Vault might not have been configured properly.

To resolve this issue, you can follow these steps:

Verify that the user, group, or application that you are using to access the Azure Key Vault has the "List" permission for keys in the access policies. You can check this by navigating to the Access policies blade in the Azure portal and ensuring that the appropriate permission is enabled for the user, group, or application.
If you have recently added the user, group, or application to the access policies, wait for some time for the permissions to propagate. It may take a few minutes for the changes to take effect.
Ensure that the client ID and client secret used to authenticate the user, group, or application are correct.
Check if there are any firewall or network restrictions in place that could be preventing the user, group, or application from accessing the Azure Key Vault.
If the issue persists, try creating a new Azure Key Vault and grant appropriate permissions to the user, group, or application to access the keys.

View solution in original post

Anonymous · ‎04-28-2023

@KS LAU :

It seems that the error message is indicating that the user, group, or application that you are using does not have permission to list the keys in the Azure Key Vault.

You mentioned that you were able to retrieve secrets stored in the same Azure Key Vault, but are facing issues only with listing the keys. This could be because the access policies for the Azure Key Vault might not have been configured properly.

To resolve this issue, you can follow these steps:

Verify that the user, group, or application that you are using to access the Azure Key Vault has the "List" permission for keys in the access policies. You can check this by navigating to the Access policies blade in the Azure portal and ensuring that the appropriate permission is enabled for the user, group, or application.
If you have recently added the user, group, or application to the access policies, wait for some time for the permissions to propagate. It may take a few minutes for the changes to take effect.
Ensure that the client ID and client secret used to authenticate the user, group, or application are correct.
Check if there are any firewall or network restrictions in place that could be preventing the user, group, or application from accessing the Azure Key Vault.
If the issue persists, try creating a new Azure Key Vault and grant appropriate permissions to the user, group, or application to access the keys.

Anonymous · ‎04-28-2023

Hi @KS LAU

Thank you for posting your question in our community! We are happy to assist you.

To help us provide you with the most accurate information, could you please take a moment to review the responses and select the one that best answers your question?

This will also help other community members who may have similar questions in the future. Thank you for your participation and let us know if you need any further assistance!

Databricks

Azure Key Vault Keys client library for Python - keys list permission issue

Registration now open! Databricks Data + AI Summit 2024

Meet DBRX, the New Standard for High-Quality LLMs

Data Warehousing in the Era of AI