cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Community Platform Discussions
Connect with fellow community members to discuss general topics related to the Databricks platform, industry trends, and best practices. Share experiences, ask questions, and foster collaboration within the community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Mounting adls gen2 from databricks RBAC issue

keer1392
New Contributor

โ€Ž09-17-2023 10:29 PM

 

I am trying to mount my Gen 2 storage account in databricks. I have added permission of Storage blob data contributor to the storage account. But I am getting below error:
Invalid permissions on the specified KeyVault https://kvmigrationnew.vault.azure.net/. Wrapped Message: Status code 403, {"error":{"code":"Forbidden","message":"Caller is not authorized to perform action on resource.\r\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\r\nCaller: name=AzureDatabricks;appid=123abcdbhjdllajddaddd;iss=https://sts.windows.net/984433r41f5ssadfgfsf/\r\nAction: 'Microsoft.KeyVault/vaults/secrets/getSecret/action'\r\nResource: '/subscriptions/xxxx-xxx-xxx/resourcegroups/rsggen2demo/providers/microsoft.keyvault/vaults/kvmigrationnew/secrets/clientid'\r\nAssignment: (not found)\r\nDecisionReason: 'DeniedWithNoValidRBAC' \r\nVault: kvmigrationnew;location=eastus2\r\n","innererror":{"code":"ForbiddenByRbac"}}}
------------------------------------
Configuration
---------------
Resource group: rsggen2demo
Storage acc name: stggen2demo
Keyvault: kvmigrationnew
DB Scope: gen2mig

Code:
adlsAccountName = "stggen2demo"
adlsContainerName = "output"
adlsFolderName = "schemas_new"
mountPoint = "/mnt/schemas_new"

# Application (Client) ID
applicationId = dbutils.secrets.get(scope="gen2mig",key="ClientID")

# Application (Client) Secret Key
authenticationKey = dbutils.secrets.get(scope="gen2mig",key="ClientSecret")

# Directory (Tenant) ID
tenandId = dbutils.secrets.get(scope="gen2mig",key="TenantID")

endpoint = "https://login.microsoftonline.com/" + tenandId + "/oauth2/token"
source = "abfss://" + adlsContainerName + "@" + adlsAccountName + ".dfs.core.windows.net/" + adlsFolderName

# Connecting using Service Principal secrets and OAuth
configs = {"fs.azure.account.auth.type": "OAuth",
"fs.azure.account.oauth.provider.type": "org.apache.hadoop.fs.azurebfs.oauth2.ClientCredsTokenProvider",
"fs.azure.account.oauth2.client.id": applicationId,
"fs.azure.account.oauth2.client.secret": authenticationKey,
"fs.azure.account.oauth2.client.endpoint": endpoint}

# Mount ADLS Storage to DBFS only if the directory is not already mounted
if not any(mount.mountPoint == mountPoint for mount in dbutils.fs.mounts()):
dbutils.fs.mount(
source = source,
mount_point = mountPoint,
extra_configs = configs)




 

0 Kudos
1 REPLY 1

Kaniz_Fatma
Community Manager
Community Manager

โ€Ž09-20-2023 04:17 AM

Hi @keer1392The error you are encountering is due to the Azure Databricks application not having the appropriate permissions to access the secrets in the Azure Key Vault.

The error message indicates that the Azure Databricks application is not authorized to perform the โ€™Microsoft.KeyVault/vaults/secrets/getSecret/actionโ€™ on the KeyVault.

To resolve this issue, you must grant the Azure Databricks application the necessary permissions on the Azure Key Vault. Specifically, you need to add an access policy in the Key Vault for the Azure Databricks application and grant it the โ€™Getโ€™ and โ€™Listโ€™ permissions under โ€™Secret permissionsโ€™.

Unfortunately, I cannot provide the exact commands to perform these actions as they are typically done via the Azure portal or Azure CLI, not within Databricks.

When using the mount commands, remember to replace the placeholders with your actual values. For example, replace <container-name> with the name of your container, <storage-account-name> with the name of your storage account and <mount-name> with the name of your mount point.

Here is an example of how you might mount your storage:

python
configs = { 
    "fs.azure.account.auth.type": "CustomAccessToken", 
    "fs.azure.account.custom.token.provider.class": spark.conf.get("spark.databricks.passthrough.adls.gen2.tokenProviderClassName") 
}

dbutils.fs.mount( 
    source = "abfss://<container-name>@<storage-account-name>.dfs.core.windows.net/", 
    mount_point = "/mnt/<mount-name>", 
    extra_configs = configs)

Please note that you must replace <container-name><storage-account-name>, and <mount-name> with your actual values.

0 Kudos

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you wonโ€™t want to miss the chance to attend and share knowledge.

If there isnโ€™t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements