Databricks

Anuragranjeet · ‎04-26-2023

I want to generate a personal access token on a service principal. I generated a service principal in Azure active directory and using Azure devops pipeline, I got it added to databricks workspace- where I am a work space administrator. After adding it, I went to Admin settings-->workspace settings--> personal access token--> permission settings and assigned the SP 'can use' access on token usage. Post that, I tried to generate a PAT on the SP using postman tool accordingly to the below guidance-

https://docs.databricks.com/dev-tools/service-principals.html (Step 2)

I used my own PAT for letting service principal authorize with databricks API.

I am still getting this error in trying to generate PAT from postman-

{

"error_code": "FEATURE_DISABLED",

"message": "On-behalf-of token creation for service principals is not enabled for this workspace"

}

The text in bold should have avoided this error but no idea why I am still getting it. Kindly help.

karthik_p · ‎04-26-2023

@Anurag Ranjeet you need to create separate group for users who needs service principle user access from token if users are not a part of group that you have already created

Anuragranjeet · ‎04-26-2023

Hi @karthik p , thanks for you rreply, aftre reading your comment 3-4 time, I am not sure if I understand - Let's say Power BI is going to use the PAT generated from service principal. Is that 'consumer user' level you are saying? Thing is - PAt generation from SP is one step before that and not happening.

karthik_p · ‎04-26-2023

@Anurag Ranjeet below article will provide you clear insight, to be clear it looks user who ever is consumer in BI does not have token usage permission. you need to initially add them in databricks token usage permissions as (can use)--> this user will get inherited with service principle.

you can follow below steps in article (same steps that you done, only thing seems to be missing is user seems be missing with token usage access. try to create new group--> add user in group--> can use permission)

one more conflict here is , your user should be part of admin, you should not get that error. but try to add u r user in new group --> validate

https://kb.databricks.com/en_US/notebooks/service-principal-cannot-create-access-token

Hubert-Dudek · ‎04-26-2023

You don't need to generate the üat token for the service principal. You can take just a token from the Azure ad app (service principal). You can also generate a short live token before the call (by assigning the service principal as the managed identity for your resource).

For PowerBI, change the dataset owner to service principal, so there is no need for the token:

# Define variables
$workspaceId = "your_workspace_id"
$servicePrincipalId = "your_service_principal_id"
$tenantId = "your_tenant_id"
 
# Authenticate with Power BI service
Connect-PowerBIServiceAccount
 
# Get the current workspace object
$workspace = Get-PowerBIWorkspace -Id $workspaceId
 
# Set the new owner to the service principal
$newOwner = New-PowerBIPrincipal -ObjectId $servicePrincipalId -TenantId $tenantId -PrincipalType ServicePrincipal
 
# Change the workspace owner
Set-PowerBIWorkspace -Workspace $workspace -NewOwner $newOwner

Anonymous · ‎04-30-2023

Hi @Anurag Ranjeet

Thank you for posting your question in our community! We are happy to assist you.

To help us provide you with the most accurate information, could you please take a moment to review the responses and select the one that best answers your question?

This will also help other community members who may have similar questions in the future. Thank you for your participation and let us know if you need any further assistance!

Databricks

docs.databricks.com

Unity Catalog Lakeguard: Industry-first and only data governance for multi-user Apache™ Spark cluste

Announcing the General Availability of Databricks Asset Bundles

Register now and save 50% on training at Data + AI Summit!

How to successfully build GenAI applications

Meet DBRX, the New Standard for High-Quality LLMs