cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

on-behalf-of token creation (for SPN)

Go to solution
clapton79
New Contributor II

โ€Ž09-06-2022 05:55 AM

I am trying to create an on-behalf-token for and SPN on my Azure Databricks Premium instance. The response is a FEATURE_DISABLED error message ("On-behalf-of token creation for service principals is not enabled for this workspace"). How do I turn on this feature?

Labels:
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
User16752245772
Contributor

โ€Ž09-19-2022 11:08 PM

HI @Laszlo Katai-Palโ€‹ 

You need to provide CAN_USE permission to the service principal in the token manage permission, you can see this option in : Admin->workspace setting

imageimageOnce you provide this permission to your SP , you can create token on behalf of SP

View solution in original post

Preview file
372 KB
Preview file
307 KB
5 REPLIES 5

Go to solution
User16752245772
Contributor

โ€Ž09-19-2022 11:08 PM

HI @Laszlo Katai-Palโ€‹ 

You need to provide CAN_USE permission to the service principal in the token manage permission, you can see this option in : Admin->workspace setting

imageimageOnce you provide this permission to your SP , you can create token on behalf of SP

Preview file
372 KB
Preview file
307 KB

Go to solution
gklassen
New Contributor II

โ€Ž07-27-2023 11:54 AM - edited โ€Ž07-27-2023 11:58 AM

Hi there,

I've performed the above steps and am trying to create an OBO token via CLI 0.2 using "databricks

token-management create-obo-token <app-id-here> 3600"

but I continue to get the error message: "On-behalf-of token creation for service principals is not enabled for this workspace"

Is there anything else that's a prerequisite to allowing these tokens to be created? The SP has been added to a group which has been added to the workspace, and given CAN_USE on tokens via the admin screen. Do the SPs need admin rights on the workspace?

Go to solution
Chris_Shehu
Valued Contributor III
In response to gklassen

โ€Ž07-27-2023 12:42 PM

My understanding is that Microsoft has this disabled this but it's not very clear in any of the MS documentation. Our MS rep had to do some digging to get to that conclusion. 

0 Kudos

Go to solution
chaitanyak
New Contributor II

โ€Ž09-21-2023 07:26 AM

gklassen and Chris_Shehu : Any further luck on this issue. Is it resolved.. ? I am also facing the same issue.. 

0 Kudos

Go to solution
alexott
Databricks Employee
Databricks Employee

โ€Ž10-23-2023 07:43 AM

There is no On-behalf-of token on Azure - just generate an AAD token for the Service Principal and use it to create PAT (make sure that SP has permission to use PATs).

The easiest way of doing it is to use the new Databricks CLI that supports unified authentication - just set the correct environment variables or define all parameters as a profile in the configuration file, and use "databricks tokens create" command to generate tokens. Something like this:

export DATABRICKS_HOST=https://adb-....17.azuredatabricks.net
export ARM_CLIENT_SECRET=<sp_secret>
export ARM_CLIENT_ID=<application_id>
export ARM_TENANT_ID=<tenant_id>
databricks tokens create --lifetime-seconds 30 --comment "test"

Here is a reference implementation for the Databricks Terraform provider.

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you wonโ€™t want to miss the chance to attend and share knowledge.

If there isnโ€™t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements