cancel
Showing results for 
Search instead for 
Did you mean: 
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Service principal’s Microsoft Entra ID access token returns 400 when calling Databricks REST API

WTW
New Contributor II

I'm using the following to call a Databricks REST API. When I use a PAT for access_token, everything works fine. When I use a Microsoft Entra ID access token, the response returns 400. The service principal has access to the workspace and is part of the workspace admin group. The call to the token api is successful and returns a token. According to the documentation, the Microsoft Entra ID access token should work with the Databricks REST API. What am I doing wrong?

 

 

import requests
import json

tenant_id =  dbutils.secrets.get("IMDL_AKV", "tenant-id")
client_id =  dbutils.secrets.get("IMDL_AKV", "sp-id")
client_secret = dbutils.secrets.get("IMDL_AKV", "sp-secret")

url = f"https://login.microsoftonline.com/{tenant_id}/oauth2/token"
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
data = {
    'client_id': client_id,
    'grant_type': 'client_credentials',
    'scope': 'https://graph.microsoft.com/.default',
    'client_secret': client_secret
}

response = requests.post(url, headers=headers, data=data)
responseJson = json.loads(response.text)
access_token = response.json().get('access_token')

databricksURL = dbutils.notebook.entry_point.getDbutils().notebook().getContext().apiUrl().getOrElse(None)
#print(access_token)

header = {'Authorization': 'Bearer {}'.format(access_token)}
endpoint = '/api/2.1/unity-catalog/catalogs/test_dev'
payload = json.dumps({  "isolation_mode": "ISOLATED"})

resp = requests.patch(
  databricksURL + endpoint,
  data=payload,
  headers=header
)

print(resp)
responseJson = json.loads(resp.text)
print(responseJson)

 

 

2 REPLIES 2

Jag
New Contributor III

hello, Try to print the repose and see are you table to see the access_token in the payload else looks like access issue.
Try to go to the workspace setting and grant token access permission to the service principle.

Workspace > Setting

Jag_0-1718650459424.png

 



“Empower Minds, Share Wisdom - Together We Grow!”

WTW
New Contributor II

Yes, I can see the access_token returned from the token api. The only return I get from the Databricks catalogs API is <Response [400]>. The service principal is a member of an account group that is a member of workspace admin which inherits Can Manage on PAT. I tried explicitly granted the service principal Can Use token permissions but still get the same results.

Join 100K+ Data Experts: Register Now & Grow with Us!

Excited to expand your horizons with us? Click here to Register and begin your journey to success!

Already a member? Login and join your local regional user group! If there isn’t one near you, fill out this form and we’ll create one for you to join!