cancel
Showing results forย 
Search instead forย 
Did you mean:ย 
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Showing results forย 
Search instead forย 
Did you mean:ย 

Service principalโ€™s Microsoft Entra ID access token returns 400 when calling Databricks REST API

WTW
New Contributor II

I'm using the following to call a Databricks REST API. When I use a PAT for access_token, everything works fine. When I use a Microsoft Entra ID access token, the response returns 400. The service principal has access to the workspace and is part of the workspace admin group. The call to the token api is successful and returns a token. According to the documentation, the Microsoft Entra ID access token should work with the Databricks REST API. What am I doing wrong?

 

 

import requests
import json

tenant_id =  dbutils.secrets.get("IMDL_AKV", "tenant-id")
client_id =  dbutils.secrets.get("IMDL_AKV", "sp-id")
client_secret = dbutils.secrets.get("IMDL_AKV", "sp-secret")

url = f"https://login.microsoftonline.com/{tenant_id}/oauth2/token"
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
data = {
    'client_id': client_id,
    'grant_type': 'client_credentials',
    'scope': 'https://graph.microsoft.com/.default',
    'client_secret': client_secret
}

response = requests.post(url, headers=headers, data=data)
responseJson = json.loads(response.text)
access_token = response.json().get('access_token')

databricksURL = dbutils.notebook.entry_point.getDbutils().notebook().getContext().apiUrl().getOrElse(None)
#print(access_token)

header = {'Authorization': 'Bearer {}'.format(access_token)}
endpoint = '/api/2.1/unity-catalog/catalogs/test_dev'
payload = json.dumps({  "isolation_mode": "ISOLATED"})

resp = requests.patch(
  databricksURL + endpoint,
  data=payload,
  headers=header
)

print(resp)
responseJson = json.loads(resp.text)
print(responseJson)

 

 

2 REPLIES 2

Jag
New Contributor III

hello, Try to print the repose and see are you table to see the access_token in the payload else looks like access issue.
Try to go to the workspace setting and grant token access permission to the service principle.

Workspace > Setting

Jag_0-1718650459424.png

 



โ€œEmpower Minds, Share Wisdom - Together We Grow!โ€

WTW
New Contributor II

Yes, I can see the access_token returned from the token api. The only return I get from the Databricks catalogs API is <Response [400]>. The service principal is a member of an account group that is a member of workspace admin which inherits Can Manage on PAT. I tried explicitly granted the service principal Can Use token permissions but still get the same results.

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you wonโ€™t want to miss the chance to attend and share knowledge.

If there isnโ€™t a group near you, start one and help create a community that brings people together.

Request a New Group