cancel
Showing results for 
Search instead for 
Did you mean: 

"User not authorized" error when trying to deploy access connector on Azure

virbickt
New Contributor III

Hi,

I have been trying to deploy Access Connector resource on Azure using Azure Pipelines (YAML) and a Bicep template but I cannot find a solution to this error:

ERROR: {"status":"Failed","error":{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"PreconditionFailed","message":"{\r\n  \"error\": {\r\n    \"code\": \"403\",\r\n    \"message\": \"User not authorized.\"\r\n  }\r\n}"}]}}

I have slimmed down the YAML pipeline I am using to deploy the access connector to the minimum:

trigger: none
 
pool:
  vmImage: windows-latest
 
stages:
  - stage: Deploy
    jobs:
    - job:
      displayName: Deploy Access Connector
      steps:
      - task: AzureCLI@2
        displayName: Azure CLI
        inputs:
          azureSubscription: 'tv-service-connection'
          scriptType: pscore
          scriptLocation: inlineScript
          inlineScript: |
            az deployment group create --resource-group devops-development-rg --template-file create-access-connector-2.bicep

where `tv-service-connection` is the name of the service connection, `devops-development-rg` is the name of the resource group and `create-access-connector-2.bicep` is the bicep template. The bicep template I am using is taken from the official documentation with minor modifications:

param location string = resourceGroup().location
 
resource accessConnector 'Microsoft.Databricks/accessConnectors@2022-04-01-preview' = {
  name: 'accessConnectordbtv'
  location: location
  identity: {
    type: 'None'
  }
  properties: {}
}

The things I have tried without any success:

  • assigning Owner or/and Contributor rights to the service connection on both subscription/resource group level
  • az login with the details of service connection to run az group deployment with the bicep template (still get the same error)
  • using Terraform for deployment as per official tutorial
  • assigning Microsoft Graph API IdentityProvider.ReadWrite.All permission to the service connection as suggested in this post which seems to be the closest to the problem I'm facing.

Any suggestions would be extremely appreciated as I am getting pretty desperate at this point.

1 ACCEPTED SOLUTION

Accepted Solutions

ThomasVanBilsen
New Contributor III

Hi,

I fixed this issue by adding the service principal to the list of service principals in the Account Console. My guess is that after the access connector is created an API call is made to the Databricks account and the service principal making that call needs to be known in the Databricks account. In your case, my guess is that the service principal is not yet registered there.

View solution in original post

3 REPLIES 3

Aviral-Bhardwaj
Esteemed Contributor III

The job you are running try to give that user privilege

virbickt
New Contributor III

Thanks for the suggestion, but I already have Owner privileges on a subscription level assigned to both myself and the service connection used for that job. Any other suggestions?

ThomasVanBilsen
New Contributor III

Hi,

I fixed this issue by adding the service principal to the list of service principals in the Account Console. My guess is that after the access connector is created an API call is made to the Databricks account and the service principal making that call needs to be known in the Databricks account. In your case, my guess is that the service principal is not yet registered there.

Welcome to Databricks Community: Lets learn, network and celebrate together

Join our fast-growing data practitioner and expert community of 80K+ members, ready to discover, help and collaborate together while making meaningful connections. 

Click here to register and join today! 

Engage in exciting technical discussions, join a group with your peers and meet our Featured Members.