โ09-06-2022 05:55 AM
I am trying to create an on-behalf-token for and SPN on my Azure Databricks Premium instance. The response is a FEATURE_DISABLED error message ("On-behalf-of token creation for service principals is not enabled for this workspace"). How do I turn on this feature?
โ09-19-2022 11:08 PM
HI @Laszlo Katai-Palโ
You need to provide CAN_USE permission to the service principal in the token manage permission, you can see this option in : Admin->workspace setting
Once you provide this permission to your SP , you can create token on behalf of SP
โ09-19-2022 11:08 PM
โ07-27-2023 11:54 AM - edited โ07-27-2023 11:58 AM
Hi there,
I've performed the above steps and am trying to create an OBO token via CLI 0.2 using "databricks
but I continue to get the error message: "On-behalf-of token creation for service principals is not enabled for this workspace"
Is there anything else that's a prerequisite to allowing these tokens to be created? The SP has been added to a group which has been added to the workspace, and given CAN_USE on tokens via the admin screen. Do the SPs need admin rights on the workspace?
โ07-27-2023 12:42 PM
My understanding is that Microsoft has this disabled this but it's not very clear in any of the MS documentation. Our MS rep had to do some digging to get to that conclusion.
โ09-21-2023 07:26 AM
gklassen and Chris_Shehu : Any further luck on this issue. Is it resolved.. ? I am also facing the same issue..
โ10-23-2023 07:43 AM
There is no On-behalf-of token on Azure - just generate an AAD token for the Service Principal and use it to create PAT (make sure that SP has permission to use PATs).
The easiest way of doing it is to use the new Databricks CLI that supports unified authentication - just set the correct environment variables or define all parameters as a profile in the configuration file, and use "databricks tokens create" command to generate tokens. Something like this:
export DATABRICKS_HOST=https://adb-....17.azuredatabricks.net
export ARM_CLIENT_SECRET=<sp_secret>
export ARM_CLIENT_ID=<application_id>
export ARM_TENANT_ID=<tenant_id>
databricks tokens create --lifetime-seconds 30 --comment "test"
Here is a reference implementation for the Databricks Terraform provider.
Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you wonโt want to miss the chance to attend and share knowledge.
If there isnโt a group near you, start one and help create a community that brings people together.
Request a New Group