cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Cannot create storage credential without Contributor role

maikelos272
New Contributor II

‎01-16-2024 02:03 AM

Hello,

I am trying to create a Storage Credential. I have created the access connector and gave the managed identity "Storage Blob Data Owner" permissions. However when I want to create a storage credential I get the following error:

Creating a storage credential requires the contributor role over the corresponding access connector with ID
/subscriptions/655a2f34-****-****-b77d-f45e70210122/resourceGroups/sub-name/providers/Microsoft.Databricks/accessConnectors/connector-name. 
Please contact your account admin.

The problem is that in my organization I cannot get a Contributor role, furthermore I'm not even sure if it is required. I have done some further tests with a service principal and I get the following error when calling an API to get the storage credentials created:

databricks --log-level DEBUG --profile VNXSPT storage-credentials create --json '@.\storage-cred-vnx.json'
...
 "error_code": "RESOURCE_DOES_NOT_EXIST",
 "message": "Refresh token not found for userId: Some(4295475011008721)"
...
 
The above also doesn't work but in another environment I have tested this it worked without the SP having a contributor role on the access connector. How can I make this work with the contributor role?
Labels:
0 Kudos
5 REPLIES 5

maikelos272
New Contributor II

‎01-18-2024 09:03 AM

I have added the Contributor role to my Service principal and I still get the same error. I tried multiple auth options and multiple clients, including sending a request to the API itself. I know the token is correct as other API endpoints work just fine. Could you guys help?

2024-01-18 17_00_46-Create credentials - My Workspace.png

 

RTabur
New Contributor II

‎03-12-2024 12:42 PM

Hi @maikelos272,

Did you manage to solve the problem? I have the same headache here...

I get the same error while trying to create the storage credentials. When I'm using my user token the credentials are successfully created but not with the SPN's token. The permissions are the same for me and the SPN.

0 Kudos

Kim3
New Contributor II

‎04-02-2024 05:14 AM

Hi @Retired_mod 

Can you elaborate on the error "Refresh token not found for userId"?

I have exactly the same problem as described in this thread. I am trying to create a storage credential using a Personal Access Token from a Service Principal. This results in 404 with the response body:

 

{
	"error_code": "RESOURCE_DOES_NOT_EXIST",
	"message": "Refresh token not found for userId: Some(2302042022180399)",
	"details": [
		{
			"@type": "type.googleapis.com/google.rpc.RequestInfo",
			"request_id": "d731471b-b6b8-41a9-bf77-993529733668",
			"serving_data": ""
		}
	]
}

 

When I use a Personal Access Token from my own user, the storage credential is created without error. Both the Service Principal and I have admin rights in Databricks and the Service Principal is Contributor on the Subscription.

0 Kudos

subhash_1692
New Contributor II

a month ago

Did someone find a solution?

{
	"error_code": "RESOURCE_DOES_NOT_EXIST",
	"message": "Refresh token not found for userId: Some(2302042022180399)",
	"details": [
		{
			"@type": "type.googleapis.com/google.rpc.RequestInfo",
			"request_id": "d731471b-b6b8-41a9-bf77-993529733668",
			"serving_data": ""
		}
	]
}

 I am Also getting the same error which is giving me headache.. 

0 Kudos

RTabur
New Contributor II
In response to subhash_1692

3 weeks ago

I don't remember exactly how I solved this issue but I think I've added the following permissions on the metastore for the SPN through the Databricks API (you may not need all of them): CREATE_CATALOG, CREATE_CONNECTION, CREATE_EXTERNAL_LOCATION, CREATE_PROVIDER, CREATE_RECIPIENT, CREATE_SHARE, CREATE_STORAGE_CREDENTIAL

Please confirm if this solves your issue.

0 Kudos

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements