cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Service principal’s Microsoft Entra ID access token returns 400 when calling Databricks REST API

WTW-DBrat
New Contributor II

‎06-17-2024 08:03 AM - edited ‎06-17-2024 08:07 AM

I'm using the following to call a Databricks REST API. When I use a PAT for access_token, everything works fine. When I use a Microsoft Entra ID access token, the response returns 400. The service principal has access to the workspace and is part of the workspace admin group. The call to the token api is successful and returns a token. According to the documentation, the Microsoft Entra ID access token should work with the Databricks REST API. What am I doing wrong?

 

 

import requests
import json

tenant_id =  dbutils.secrets.get("IMDL_AKV", "tenant-id")
client_id =  dbutils.secrets.get("IMDL_AKV", "sp-id")
client_secret = dbutils.secrets.get("IMDL_AKV", "sp-secret")

url = f"https://login.microsoftonline.com/{tenant_id}/oauth2/token"
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
data = {
    'client_id': client_id,
    'grant_type': 'client_credentials',
    'scope': 'https://graph.microsoft.com/.default',
    'client_secret': client_secret
}

response = requests.post(url, headers=headers, data=data)
responseJson = json.loads(response.text)
access_token = response.json().get('access_token')

databricksURL = dbutils.notebook.entry_point.getDbutils().notebook().getContext().apiUrl().getOrElse(None)
#print(access_token)

header = {'Authorization': 'Bearer {}'.format(access_token)}
endpoint = '/api/2.1/unity-catalog/catalogs/test_dev'
payload = json.dumps({  "isolation_mode": "ISOLATED"})

resp = requests.patch(
  databricksURL + endpoint,
  data=payload,
  headers=header
)

print(resp)
responseJson = json.loads(resp.text)
print(responseJson)

 

 

Labels:
0 Kudos
2 REPLIES 2

Jag
New Contributor III

‎06-17-2024 11:54 AM - edited ‎06-17-2024 11:55 AM

hello, Try to print the repose and see are you table to see the access_token in the payload else looks like access issue.
Try to go to the workspace setting and grant token access permission to the service principle.

Workspace > Setting

Jag_0-1718650459424.png

 



“Empower Minds, Share Wisdom - Together We Grow!”
0 Kudos

WTW-DBrat
New Contributor II
In response to Jag

‎06-17-2024 12:13 PM

Yes, I can see the access_token returned from the token api. The only return I get from the Databricks catalogs API is <Response [400]>. The service principal is a member of an account group that is a member of workspace admin which inherits Can Manage on PAT. I tried explicitly granted the service principal Can Use token permissions but still get the same results.

0 Kudos

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local community—sign up today to get started!

Sign Up Now
Announcements