Dear Databricks Expert
I am trying to get a key which is stored in the Azure Key Vault, using Azure Key Vault Keys client library for Python. However error was met.
Python Code:
#
from azure.identity import DefaultAzureCredential
from azure.identity import ClientSecretCredential
from azure.keyvault.keys import KeyClient
credential = ClientSecretCredential(tenant_id='***',
client_id='YYY',
client_secret='ZZZ'
)
key_client = KeyClient(vault_url="https://AAA.vault.azure.net", credential = credential)
keys = key_client.list_properties_of_keys()
for key in keys:
print(key.name)
Error:
HttpResponseError: (Forbidden) The user, group or application 'appid=MASK;oid=MASK;iss=MASK' does not have keys list permission on key vault 'MASK;location=MASK'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287
Code: Forbidden
Message: The user, group or application 'appid=MASK;oid=MASK;iss=MASK' does not have keys list permission on key vault 'MASK;location=MASK'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287
Inner error: {
"code": "AccessDenied"
}
More information:
01: Managed Identity is Azure Access Connector for Databricks
02: Tenant ID, Client ID and Client Secret should be correct. This is because with the setting I am able to retrieve Secrets stored in the same Azure Key Vault and access the contents in Azure Storage Account
spark.conf.set("fs.azure.account.auth.type", "OAuth")
spark.conf.set("fs.azure.account.oauth.provider.type", "org.apache.hadoop.fs.azurebfs.oauth2.ClientCredsTokenProvider")
spark.conf.set("fs.azure.account.oauth2.client.id", "***")
spark.conf.set("fs.azure.account.oauth2.client.secret", "YYY")
spark.conf.set("fs.azure.account.oauth2.client.endpoint", "https://login.microsoftonline.com/99e838ef-4ec1-4ce2-9229-2efbb56fb03c/oauth2/token")
03: Key permissions in the access policies for the Access Connector is FULL
04: The Databricks Workspace and the Azure Key Vault are in the same subnet
05: Key Vault's IAM. Key Vault Crypto Officer and Contributor. Yet I don't think it is highly related.
Might I have advices from the experts on how to solve this issue? Thanks a lot!!!