Databricks Community

virbickt · ‎12-27-2022

Hi,

I have been trying to deploy Access Connector resource on Azure using Azure Pipelines (YAML) and a Bicep template but I cannot find a solution to this error:

ERROR: {"status":"Failed","error":{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"PreconditionFailed","message":"{\r\n  \"error\": {\r\n    \"code\": \"403\",\r\n    \"message\": \"User not authorized.\"\r\n  }\r\n}"}]}}

I have slimmed down the YAML pipeline I am using to deploy the access connector to the minimum:

trigger: none
 
pool:
  vmImage: windows-latest
 
stages:
  - stage: Deploy
    jobs:
    - job:
      displayName: Deploy Access Connector
      steps:
      - task: AzureCLI@2
        displayName: Azure CLI
        inputs:
          azureSubscription: 'tv-service-connection'
          scriptType: pscore
          scriptLocation: inlineScript
          inlineScript: |
            az deployment group create --resource-group devops-development-rg --template-file create-access-connector-2.bicep

where `tv-service-connection` is the name of the service connection, `devops-development-rg` is the name of the resource group and `create-access-connector-2.bicep` is the bicep template. The bicep template I am using is taken from the official documentation with minor modifications:

param location string = resourceGroup().location
 
resource accessConnector 'Microsoft.Databricks/accessConnectors@2022-04-01-preview' = {
  name: 'accessConnectordbtv'
  location: location
  identity: {
    type: 'None'
  }
  properties: {}
}

The things I have tried without any success:

assigning Owner or/and Contributor rights to the service connection on both subscription/resource group level
az login with the details of service connection to run az group deployment with the bicep template (still get the same error)
using Terraform for deployment as per official tutorial
assigning Microsoft Graph API IdentityProvider.ReadWrite.All permission to the service connection as suggested in this post which seems to be the closest to the problem I'm facing.

Any suggestions would be extremely appreciated as I am getting pretty desperate at this point.

ThomasVanBilsen · ‎01-04-2023

Hi,

I fixed this issue by adding the service principal to the list of service principals in the Account Console. My guess is that after the access connector is created an API call is made to the Databricks account and the service principal making that call needs to be known in the Databricks account. In your case, my guess is that the service principal is not yet registered there.

View solution in original post

Aviral-Bhardwaj · ‎12-27-2022

The job you are running try to give that user privilege

AviralBhardwaj

virbickt · ‎12-27-2022

Thanks for the suggestion, but I already have Owner privileges on a subscription level assigned to both myself and the service connection used for that job. Any other suggestions?

ThomasVanBilsen · ‎01-04-2023

Hi,

I fixed this issue by adding the service principal to the list of service principals in the Account Console. My guess is that after the access connector is created an API call is made to the Databricks account and the service principal making that call needs to be known in the Databricks account. In your case, my guess is that the service principal is not yet registered there.

Databricks Community

"User not authorized" error when trying to deploy access connector on Azure

Connect with Databricks Users in Your Area

Insights from a global survey of 1,100 technologists and interviews with 28 CIOs

Data + AI Summit: Call for Presentations

Season's Speedings: Databricks SQL Delivers 4x Performance Boost Over Two Years

Now Hiring: Databricks Community Technical Moderator

Become Our Next Monthly Community Champion!