cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Service principal’s Microsoft Entra ID access token returns 400 when calling Databricks REST API

WTW
New Contributor II

‎06-17-2024 08:03 AM - edited ‎06-17-2024 08:07 AM

I'm using the following to call a Databricks REST API. When I use a PAT for access_token, everything works fine. When I use a Microsoft Entra ID access token, the response returns 400. The service principal has access to the workspace and is part of the workspace admin group. The call to the token api is successful and returns a token. According to the documentation, the Microsoft Entra ID access token should work with the Databricks REST API. What am I doing wrong?

 

 

import requests
import json

tenant_id =  dbutils.secrets.get("IMDL_AKV", "tenant-id")
client_id =  dbutils.secrets.get("IMDL_AKV", "sp-id")
client_secret = dbutils.secrets.get("IMDL_AKV", "sp-secret")

url = f"https://login.microsoftonline.com/{tenant_id}/oauth2/token"
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
data = {
    'client_id': client_id,
    'grant_type': 'client_credentials',
    'scope': 'https://graph.microsoft.com/.default',
    'client_secret': client_secret
}

response = requests.post(url, headers=headers, data=data)
responseJson = json.loads(response.text)
access_token = response.json().get('access_token')

databricksURL = dbutils.notebook.entry_point.getDbutils().notebook().getContext().apiUrl().getOrElse(None)
#print(access_token)

header = {'Authorization': 'Bearer {}'.format(access_token)}
endpoint = '/api/2.1/unity-catalog/catalogs/test_dev'
payload = json.dumps({  "isolation_mode": "ISOLATED"})

resp = requests.patch(
  databricksURL + endpoint,
  data=payload,
  headers=header
)

print(resp)
responseJson = json.loads(resp.text)
print(responseJson)

 

 

Labels:
0 Kudos
2 REPLIES 2

Jag
New Contributor III

‎06-17-2024 11:54 AM - edited ‎06-17-2024 11:55 AM

hello, Try to print the repose and see are you table to see the access_token in the payload else looks like access issue.
Try to go to the workspace setting and grant token access permission to the service principle.

Workspace > Setting

Jag_0-1718650459424.png

 



“Empower Minds, Share Wisdom - Together We Grow!”
0 Kudos

WTW
New Contributor II
In response to Jag

‎06-17-2024 12:13 PM

Yes, I can see the access_token returned from the token api. The only return I get from the Databricks catalogs API is <Response [400]>. The service principal is a member of an account group that is a member of workspace admin which inherits Can Manage on PAT. I tried explicitly granted the service principal Can Use token permissions but still get the same results.

0 Kudos

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements