cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Getting 403 Forbidden Error When Joining Tables Across Two Unity Catalogs in the Same Workspace

vishnuvardhan
New Contributor II

โ€Ž08-14-2025 04:40 PM

 

Hi everyone,

 

Iโ€™m facing an unusual issue in my Databricks environment and would appreciate your guidance.

 

Iโ€™m using a consumer workspace with access to two different Unity Catalogs. I can successfully query tables from both catalogs individually without any issues. However, when I attempt to join tables from these two catalogs in a single query, I receive a 403 Forbidden access error.

 

Iโ€™m using the same workspace, the same cluster, and the same identity for running all queries. The cluster is Unity Catalog-enabled, and I believe I have the necessary privileges on both catalogs, schemas, and tables. This behavior is confusing because individual access works fine, but the join fails.

 

Here are my questions:

 

  1. Why am I getting a 403 Forbidden error only when joining tables across two different Unity Catalogs?
  2. Are there additional access requirements or policies that apply specifically to cross-catalog joins in Unity Catalog?
  3. Even though I have access to both catalogs and can run standalone queries successfully, is there something specific that changes when combining them in a single query?
  4. Could this be related to how Unity Catalog evaluates permissions or data governance policies across catalogs?

 

0 Kudos
6 REPLIES 6

WiliamRosa
New Contributor III

โ€Ž08-15-2025 06:31 AM

When encountering a 403 Forbidden error while attempting to join tables across two Unity Catalog instances, the root cause is often related to catalog-to-workspace binding constraints: by default, a catalog is only accessible from workspaces explicitly bound to it, regardless of any GRANT permissions your user may hold. To resolve this, ensure both Unity Catalogs are properly bound to the same workspaceโ€”or operate within separate workspaces where each catalog is assignedโ€”and that you have the required USE CATALOG, USE SCHEMA, and object-level permissions in place. Once both catalogs are accessible within the same execution context, your cross-catalog joins should succeed without permission issues.

Wiliam Rosa
Data Engineer | Machine Learning Engineer
LinkedIn: linkedin.com/in/wiliamrosa

vishnuvardhan
New Contributor II
In response to WiliamRosa

โ€Ž08-15-2025 12:32 PM

I have access to the individual catalogs from my consumer workspace, and I am able to query the tables from each catalog independently without any issues. However, when I attempt to join tables from these different catalogs in a single query, I encounter a 403 access error. This behavior is unexpected and seems unusual given that independent access to each catalog is functioning correctly. Could you please share your thoughts here.

0 Kudos

BS_THE_ANALYST
Esteemed Contributor

โ€Ž08-16-2025 05:44 AM

@vishnuvardhan Just to confirm, it's two different unity catalogs? And not two catalogs within a unity catalog?

You could be subject to this:

BS_THE_ANALYST_0-1755348058658.png


https://docs.databricks.com/aws/en/catalogs/ 

Perhaps you're Unity Catalogs are in different regions. If this is the case, it perhaps Delta Sharing is the resolution:
https://www.databricks.com/product/delta-sharing 

BS_THE_ANALYST_1-1755348195427.png



Let me know if that sheds light on anything @vishnuvardhan . I'm interested in this one! ๐Ÿ˜€

All the best,
BS

0 Kudos

BS_THE_ANALYST
Esteemed Contributor

โ€Ž08-16-2025 05:47 AM - edited โ€Ž08-16-2025 05:49 AM

@vishnuvardhan for both Catalogs, are they using the same compute?

For instance, when you say you can query both of them in isolation, can you do this within a single notebook?

If not, that may provide some more insight to your problem.

Is there anything interesting about each of the tables property-wise? Anything that jumps out? For instance, when you're looking at streaming tables, there's limitations/constraints with joining. I wonder if it's managed/external tables? There could be something else we could diagnose here.

All the best,
BS

0 Kudos

vishnuvardhan
New Contributor II
In response to BS_THE_ANALYST

โ€Ž08-16-2025 04:12 PM

Im running these queries in the consumer databricks workspace and trying to get data from different source unity catalogs. So, I have got all the access to access the data. Even when I query the independent catalog tables, I dont have any issues but when I use join query to include tables across 2 different catalogs then I'm having this 403 access issue. For all these queries, I'm using the same consumer databricks notebook and same cluster.

0 Kudos

BS_THE_ANALYST
Esteemed Contributor

โ€Ž08-17-2025 03:15 AM

Hi @vishnuvardhan, I appreciate the information isn't directly going to answer your question but I wanted to share what I've found. 

Firstly, I've not heard of a consumer databricks workspace prior to your post. I'm not sure if you've looked into the documentation for it? https://docs.databricks.com/aws/en/ai-bi/consumers/. There's a section around Consumer Access Capabilites which might be useful. Perhaps this isn't what you're accessing? If it is, it doesn't even seem to provide Notebooks/SQL Editor; I'd be curious to see how youre getting around that.

@vishnuvardhan are you sure it's two different unity catalogs and not two catalogs within a single unity catalog? We have to remember that the three level namespace within a unity catalog is catalog->schema->table(etc). You can have many catalogs within a single unity catalog. I'm also unsure why they'd have multiple unity catalogs unless they're working across different regions?

I also stumbled across this: https://docs.databricks.com/aws/en/catalogs/binding?utm_source=chatgpt.com&language=CLI . If the group your part of has been setup with specific workspace catalog bindings, it may be why you're experiencing what you are. It could be a good time to reach out to your databricks workspace admin, they could shed some light

BS_THE_ANALYST_0-1755425323567.png

There's some better examples of the commands that can be run here: https://docs.databricks.com/aws/en/dev-tools/cli/reference/workspace-bindings-commands . It may be that there's a binding used to keep the catalogs isolated. Catalog isolation is certainly mentioned in the docs but it seems geared towards isolating catalogs to certain workspaces. I wonder if an additional constraint can be imposed which prevents the joining. 

I'm looking forward to seeing what other community members mention for this! 

All the best,
BS

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local communityโ€”sign up today to get started!

Sign Up Now
Announcements