cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

How to use Databricks Repos with a service principal for CI/CD in Azure DevOps?

Go to solution
michael_mehrten
New Contributor III

โ€Ž11-02-2021 10:05 AM

Databricks Repos best-practices recommend using the Repos REST API to update a repo via your git provider. The REST API requires authentication, which can be done one of two ways:

  1. A user / personal access token
  2. A service principal access token

Using a user access token authenticates the REST API as the user, so all repos actions are performed as the user identity. This isn't desirable for automation, as all automation tasks are tied to a specific user account. In this case, a service principal would be preferable. As far as I can tell, the service principal doesn't work in Azure DevOps, because the service principal doesn't have access to the Azure DevOps git repo.

Has anyone had success getting a service principal access to Azure DevOps? If not, what alternatives have people used to integrate Databricks Repos with Azure DevOps CI/CD (apart from using personal access tokens)?

25 REPLIES 25

Go to solution
rsenjins
New Contributor III
In response to terrymunro

โ€Ž07-31-2023 07:50 AM

Did you manage to run the workflow integrated with Git with a service principal eventually? 

0 Kudos

Go to solution
martindlarsson
New Contributor III
In response to Anonymous

โ€Ž04-03-2024 07:38 AM

Getting this when using Postman on api/2.0/token-management/on-behalf-of/tokens

 

{
    "error_code": "ENDPOINT_NOT_FOUND",
    "message": "No API found for 'GET /token-management/on-behalf-of/tokens'"
}

 

 Using the databricks cli (databricks token-management create-obo-token) I get the following error

 

Error: On-behalf-of token creation for service principals is not enabled for this workspace

 

0 Kudos

Go to solution
xiangzhu
Contributor III

โ€Ž01-10-2023 01:52 PM

Hello,

My use case is to create dbt task inside of a databricks workflow.

It needs to specify `git_source`, and my workflow is run under a service principal account.

Unfortunately, from the beginning of the workflow run. an error is raised like:

"Failed to checkout Git repository: PERMISSION_DENIED: Encountered an error with your Azure Active Directory credentials. Please try logging out of Azure Active Directory (https://portal.azure.com) and logging back in."

But I've no where to grant to the service principal the Azure DevOps checkout permission.

Replacing the service principal with an standard user account works, but we can not use user account in production.

0 Kudos

Go to solution
Anonymous
Not applicable
In response to xiangzhu

โ€Ž01-10-2023 02:41 PM

Are you able to use Azure DevOps Personal Access token for this instead of Active Directory credentials? Using DevOps PATS directly should work with service principals.

0 Kudos

Go to solution
xiangzhu
Contributor III
In response to Anonymous

โ€Ž01-10-2023 03:03 PM

yes, I tried adding PAT in the git_source, it doesn't work neither.

I'm sure the PAT and the URL is OK, as I can `git clone (git_source url value with PAT inside)` locally without any issue.โ€‹

tested with runtime: 10.4.x-cpu-ml-scala2.12

Go to solution
171499
New Contributor III

โ€Ž02-23-2023 06:55 AM

@Vaibhav Sethiโ€‹ "first add the Git PAT token for the service principal via the Git Credential API. " - is this possible? On the Git Credentials API guide I only see the option to set the credentials for the current user (not a service principal)

0 Kudos

Go to solution
xiangzhu
Contributor III
In response to 171499

โ€Ž02-23-2023 02:38 PM

yes, it is. you could find a quick tuto from this link:

Repos configuration for Azure Service Principal (databricks.com)

0 Kudos

Go to solution
martindlarsson
New Contributor III
In response to xiangzhu

โ€Ž04-03-2024 07:30 AM

The link is broken

0 Kudos

Go to solution
bradleyjamrozik
New Contributor III

โ€Ž08-23-2023 12:58 PM

I am also having this issue. 

bradleyjamrozik_0-1692820702304.pngbradleyjamrozik_1-1692820717977.png

 

0 Kudos

Go to solution
camilo_s
Contributor

โ€Ž03-07-2024 07:09 AM - edited โ€Ž03-07-2024 07:12 AM

Since last year, Azure offers workload identity federation, which can be used to to authenticate SPs against Azure DevOps using Microsoft Entra ID. Any chances Databricks might leverage this to implement OAuth for authenticating service principals against Azure DevOps?

0 Kudos

Go to solution
martindlarsson
New Contributor III

โ€Ž04-03-2024 07:10 AM

Having the exact same problem. Did you find a solution @michael_mehrten ?

In my case Im using a managed identity so the solution some topics suggest on generating an access token from a Entra ID service principal is not applicable.

0 Kudos

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you wonโ€™t want to miss the chance to attend and share knowledge.

If there isnโ€™t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements