cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Community Discussions
Connect with fellow community members to discuss general topics related to the Databricks platform, industry trends, and best practices. Share experiences, ask questions, and foster collaboration within the community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ADF - Fails to run job in workspace in another subscription

IvanK
New Contributor III

Thursday - last edited Thursday

 We are trying to run a Databricks job from ADF, but we keep getting the following error:

Operation on target Run dbt job failed: {"error_code":"PERMISSION_DENIED","message":"User <adf-mi-prod-id> does not have Manage Run or Owner or Admin permissions on job 123"}.

The managed identity that should run the job, adf-mi-prod, has permission "Manage" Run on job 123 (I have also tried giving it permission "Is Owner").

When the job is triggered directly in Databricks, it runs normally, but when ADF is trying to trigger it, it fails.

Does anyone know why triggering it through ADF is failing?

Extra info

We are using ADF for orchestration.

ADF instance lies in our prod subscription and we have Databricks workspaces in both test and prod subscription.

We have the same job in both workspaces. ADF succeeds to run the job in prod workspace, but fails to run it in test workspace.

The ADF MI has the same permissions on the clusters and SQL warehouses in both workspaces.

"Run as" on the job is set to adf-mi-prod for both jobs.

Permission "Can manage" are set for adf-mi-prod on both jobs.

0 Kudos
3 REPLIES 3

Kaniz_Fatma
Community Manager
Community Manager

Friday

Hi @IvanK, Could you please share the error stack with us?
 
0 Kudos

IvanK
New Contributor III
In response to Kaniz_Fatma

Friday

Hello @Kaniz_Fatma ,

Sure, this is what I can retrieve from ADF:
Operation on target Run dbt job failed: {"error_code":"PERMISSION_DENIED","message":"User <adf-mi-prod-id> does not have Manage Run or Owner or Admin permissions on job 123"}

<adf-mi-prod-id> is the Client ID of the MI.

I can not see any job runs of job 123 in Databricks, whenever the job is triggered by ADF and I get the error message above.

If I trigger the job manually in Databricks, the job run succeeds (and I see a job run in the UI)

0 Kudos

Kaniz_Fatma
Community Manager
Community Manager
In response to IvanK

Friday

Hi @IvanKThe error message you received indicates that the user or service principal running the Databricks job lacks the necessary read permissions on the Azure ADLS storage containers.
 
Here are some steps to address this issue:

  1. Check Permissions on Azure ADLS Storage Containers:

    • Ensure that the user or service principal has been granted the appropriate permissions to access the storage containers. You can do this through the Azure portal or using Azure CLI.
    • Verify that the credentials for accessing the storage containers are correctly configured in the Databricks workspace. Check the Databricks Secret Scopes to ensure the correct secrets are being used and that they haven’t expired.

  2. Unity Catalog Considerations:

    • If you recently attached the Unity metastore to your workspace, make sure you’ve created the necessary storage credentials and configured the storage locations.
    • Specifically, grant the “READ FILES” permission over the External Location for the Service Principal executing the read operation from your Storage Account.

  3. Job Code and Permissions:

    • Review the job code to ensure that the correct path and permissions are being used when accessing the storage containers. Specify the correct directory or file permissions as needed.

  4. Cluster Privileges:

  5. Monitoring and Alerts:

    • Consider setting up monitoring and alerts for your Databricks jobs. This way, you’ll receive notifications when issues arise, such as permission errors or job failures.

Remember that troubleshooting permissions can be complex, but these steps should help you identify and resolve the issue. If you’ve tried everything and are still facing problems, feel free to ask for further assistance! 😊

 
0 Kudos
Join 100K+ Data Experts: Register Now & Grow with Us!

Excited to expand your horizons with us? Click here to Register and begin your journey to success!

Already a member? Login and join your local regional user group! If there isn’t one near you, fill out this form and we’ll create one for you to join!

Announcements