โ04-26-2023 05:08 AM
I want to generate a personal access token on a service principal. I generated a service principal in Azure active directory and using Azure devops pipeline, I got it added to databricks workspace- where I am a work space administrator. After adding it, I went to Admin settings-->workspace settings--> personal access token--> permission settings and assigned the SP 'can use' access on token usage. Post that, I tried to generate a PAT on the SP using postman tool accordingly to the below guidance-
https://docs.databricks.com/dev-tools/service-principals.html (Step 2)
I used my own PAT for letting service principal authorize with databricks API.
I am still getting this error in trying to generate PAT from postman-
{
"error_code": "FEATURE_DISABLED",
"message": "On-behalf-of token creation for service principals is not enabled for this workspace"
}
The text in bold should have avoided this error but no idea why I am still getting it. Kindly help.
โ04-26-2023 05:26 AM
@Anurag Ranjeetโ you need to create separate group for users who needs service principle user access from token if users are not a part of group that you have already created
โ04-26-2023 06:06 AM
Hi @karthik pโ , thanks for you rreply, aftre reading your comment 3-4 time, I am not sure if I understand - Let's say Power BI is going to use the PAT generated from service principal. Is that 'consumer user' level you are saying? Thing is - PAt generation from SP is one step before that and not happening.
โ04-26-2023 06:21 AM
@Anurag Ranjeetโ below article will provide you clear insight, to be clear it looks user who ever is consumer in BI does not have token usage permission. you need to initially add them in databricks token usage permissions as (can use)--> this user will get inherited with service principle.
you can follow below steps in article (same steps that you done, only thing seems to be missing is user seems be missing with token usage access. try to create new group--> add user in group--> can use permission)
one more conflict here is , your user should be part of admin, you should not get that error. but try to add u r user in new group --> validate
https://kb.databricks.com/en_US/notebooks/service-principal-cannot-create-access-token
โ04-26-2023 01:26 PM
You don't need to generate the รผat token for the service principal. You can take just a token from the Azure ad app (service principal). You can also generate a short live token before the call (by assigning the service principal as the managed identity for your resource).
For PowerBI, change the dataset owner to service principal, so there is no need for the token:
# Define variables
$workspaceId = "your_workspace_id"
$servicePrincipalId = "your_service_principal_id"
$tenantId = "your_tenant_id"
# Authenticate with Power BI service
Connect-PowerBIServiceAccount
# Get the current workspace object
$workspace = Get-PowerBIWorkspace -Id $workspaceId
# Set the new owner to the service principal
$newOwner = New-PowerBIPrincipal -ObjectId $servicePrincipalId -TenantId $tenantId -PrincipalType ServicePrincipal
# Change the workspace owner
Set-PowerBIWorkspace -Workspace $workspace -NewOwner $newOwner
โ04-30-2023 11:42 PM
Hi @Anurag Ranjeetโ
Thank you for posting your question in our community! We are happy to assist you.
To help us provide you with the most accurate information, could you please take a moment to review the responses and select the one that best answers your question?
This will also help other community members who may have similar questions in the future. Thank you for your participation and let us know if you need any further assistance!
Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you wonโt want to miss the chance to attend and share knowledge.
If there isnโt a group near you, start one and help create a community that brings people together.
Request a New Group