04-27-2023 08:24 AM
Dear Databricks Expert
I am trying to get a key which is stored in the Azure Key Vault, using Azure Key Vault Keys client library for Python. However error was met.
Python Code:
#
from azure.identity import DefaultAzureCredential
from azure.identity import ClientSecretCredential
from azure.keyvault.keys import KeyClient
credential = ClientSecretCredential(tenant_id='***',
client_id='YYY',
client_secret='ZZZ'
)
key_client = KeyClient(vault_url="https://AAA.vault.azure.net", credential = credential)
keys = key_client.list_properties_of_keys()
for key in keys:
print(key.name)
Error:
HttpResponseError: (Forbidden) The user, group or application 'appid=MASK;oid=MASK;iss=MASK' does not have keys list permission on key vault 'MASK;location=MASK'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287
Code: Forbidden
Message: The user, group or application 'appid=MASK;oid=MASK;iss=MASK' does not have keys list permission on key vault 'MASK;location=MASK'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287
Inner error: {
"code": "AccessDenied"
}
More information:
01: Managed Identity is Azure Access Connector for Databricks
02: Tenant ID, Client ID and Client Secret should be correct. This is because with the setting I am able to retrieve Secrets stored in the same Azure Key Vault and access the contents in Azure Storage Account
spark.conf.set("fs.azure.account.auth.type", "OAuth")
spark.conf.set("fs.azure.account.oauth.provider.type", "org.apache.hadoop.fs.azurebfs.oauth2.ClientCredsTokenProvider")
spark.conf.set("fs.azure.account.oauth2.client.id", "***")
spark.conf.set("fs.azure.account.oauth2.client.secret", "YYY")
spark.conf.set("fs.azure.account.oauth2.client.endpoint", "https://login.microsoftonline.com/99e838ef-4ec1-4ce2-9229-2efbb56fb03c/oauth2/token")
03: Key permissions in the access policies for the Access Connector is FULL
04: The Databricks Workspace and the Azure Key Vault are in the same subnet
05: Key Vault's IAM. Key Vault Crypto Officer and Contributor. Yet I don't think it is highly related.
Might I have advices from the experts on how to solve this issue? Thanks a lot!!!
04-28-2023 10:47 AM
@KS LAU :
It seems that the error message is indicating that the user, group, or application that you are using does not have permission to list the keys in the Azure Key Vault.
You mentioned that you were able to retrieve secrets stored in the same Azure Key Vault, but are facing issues only with listing the keys. This could be because the access policies for the Azure Key Vault might not have been configured properly.
To resolve this issue, you can follow these steps:
04-28-2023 10:47 AM
@KS LAU :
It seems that the error message is indicating that the user, group, or application that you are using does not have permission to list the keys in the Azure Key Vault.
You mentioned that you were able to retrieve secrets stored in the same Azure Key Vault, but are facing issues only with listing the keys. This could be because the access policies for the Azure Key Vault might not have been configured properly.
To resolve this issue, you can follow these steps:
04-28-2023 10:39 PM
Hi @KS LAU
Thank you for posting your question in our community! We are happy to assist you.
To help us provide you with the most accurate information, could you please take a moment to review the responses and select the one that best answers your question?
This will also help other community members who may have similar questions in the future. Thank you for your participation and let us know if you need any further assistance!
Join our fast-growing data practitioner and expert community of 80K+ members, ready to discover, help and collaborate together while making meaningful connections.
Click here to register and join today!
Engage in exciting technical discussions, join a group with your peers and meet our Featured Members.