cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Run Task as Service Principal with Code in Azure DevOps Repo

pgruetter
Contributor

‎04-18-2023 11:05 PM

Hi all

I have a task of type Notebook, source is Git (Azure DevOps). This task runs fine with my user, but if I change the Owner to a service principal, I get the following error:

Run result unavailable: run failed with error message

Failed to checkout Git repository: PERMISSION_DENIED: Invalid Git provider credentials.Go to User Settings > Git Integration to ensure that: ...

I assume the error is a bit misleading and the problem is actually missing authorizations on the DevOps side.

How exactly can I give access to the SP in DevOps? The SP is already added to the DevOps organization with Basic access level. I can't add it to the specific Repo somehow.

Thanks

7 REPLIES 7

User16752242622
Valued Contributor

‎04-19-2023 01:57 AM

Hello, Thank you for reaching out to us.

The error could be due to misconfiguration while setting up the Service principal for Azure DevOps.

have you checked this doc:

https://learn.microsoft.com/en-us/azure/databricks/dev-tools/ci-cd/ci-cd-sp

0 Kudos

User16752242622
Valued Contributor

‎04-19-2023 01:59 AM

Please feel free to share the complete error message here. Thank you!

0 Kudos

pgruetter
Contributor

‎04-19-2023 02:32 AM

Thanks a lot for the link, I'll have to check in detail. I first thought that's only for access from DevOps to Databricks but now I see it's also for Repo access in the other direction.

From quickly skimming the article, I'm not sure what is meant by "username associated with your Git provider" though. Is it the display name of the SP ?

0 Kudos

User16752242622
Valued Contributor

‎04-19-2023 02:51 AM

The username would be the name associated with Azure DevOps. Check this for Azure DevOps integration

https://learn.microsoft.com/en-gb/azure/databricks/repos/get-access-tokens-from-git-provider#--azure...

0 Kudos

pgruetter
Contributor
In response to User16752242622

‎04-19-2023 02:57 AM

But the link describes how my personal user is connected to Azure DevOps. Since I want to use a service principal, it must be something else, right ?

0 Kudos

jannemanson
New Contributor III
In response to pgruetter

‎01-15-2024 02:28 AM

Hello @pgruetter , any chance you figures this issue out? We followed the steps of Anonymous, but were not successful. 

Cheers

Anonymous
Not applicable

‎04-24-2023 08:43 PM

@pgruetter​ :

To enable a service principal to access a specific Azure DevOps repository, you need to grant it the necessary permissions at both the organization and repository levels.

Here are the steps to grant the service principal the necessary permissions:

  1. Navigate to your Azure DevOps organization and select the project that contains the repository you want to grant access to.
  2. Select the "Settings" menu and then "Permissions" under "Repositories".
  3. Select the repository you want to grant access to.
  4. Click "Add" to add a new user or group.
  5. In the "Add users and groups" dialog, search for the name of the service principal that you want to grant access to the repository.
  6. In the "Assign permissions" dialog, select the appropriate permission level for the service principal. You may want to start with "Read" access and then grant additional permissions as needed.
  7. Click "Add" to save the changes.

After you've granted the necessary permissions to the service principal at the repository level, you'll also need to make sure that it has the necessary permissions to access the code in the repository. You can do this by adding the service principal's credentials to the notebook task's Git repository connection.

Here's how to add the service principal's credentials:

  1. In the Azure portal, navigate to the resource group that contains the Azure DevOps project.
  2. Select the Azure DevOps project resource.
  3. In the "Overview" tab, select "Service connections".
  4. Select the connection for the Git repository that the notebook task is using.
  5. Click "Edit" to edit the connection.
  6. In the "Edit service connection" dialog, select "Service principal (manual)" as the authentication method.
  7. Enter the service principal's client ID and client secret.
  8. Click "Save" to save the changes.

After you've granted the necessary permissions and added the service principal's credentials, you should be able to run the notebook task with the service principal as the owner without encountering the "PERMISSION_DENIED" error.

0 Kudos

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements