cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

Unable to authenticate against https://accounts.cloud.databricks.com as an account admin.

bricksdata
New Contributor

Problem

I'm unable to authenticate against the https://accounts.cloud.databricks.com endpoint even though I'm an account admin. I need it to assign account level groups to workspaces via the workspace assignment api (https://api-docs.databricks.com/rest/latest/permission-assignment-account-api.html) which is recommended by Databricks.

Our Databricks instance is deployed to AWS.

ā€‹

What's been tried

  1. ā€‹Create PAT token
  2. Test that I can authenticate against workspace endpoints
  3. Test workspace assignment endpoint with unauthorised error
  4. Calling Groups account endpoint with unauthorised error

ā€‹

Code

def list_account_groups():
    """Note: Requires Account admin PAT token to list all account groups"""
    api_version = '/api/2.0'
    api_command = "/scim/v2/Groups"
    url = f"https://accounts.cloud.databricks.com{api_version}/accounts/{ACCOUNT_ID}{api_command}"
 
    header = {
        "accept": "application/scim+json",
        "Authorization": f"Bearer {DATABRICKS_TOKEN}"
    }
    
    response = requests.get(url, headers=header)
    print(response.status_code)
    print(json.dumps(json.loads(response.text), indent = 2))

Response:

401
{
  "message": "Cannot complete request; user is unauthenticated"
}

ā€‹

ā€‹

4 REPLIES 4

Anonymous
Not applicable

@lasse lā€‹ :

It seems like the authentication token you are using is not authorized to access the Account API endpoint. The fact that you are able to authenticate against workspace endpoints using the same token suggests that the issue is specific to the Account API.

Here are a few steps you can try to troubleshoot the issue:

  1. Make sure that your PAT token has the appropriate permissions to access the Account API. You can check this by going to the Databricks web interface and navigating to the "User Settings" > "Tokens" page. Check that the token has the "Manage" permission for the "Account Management API".
  2. Check that the ACCOUNT_ID variable is set to the correct account ID. You can find this ID in the Databricks web interface by going to the "Admin Console" > "Account Settings" page.
  3. Check that you are using the correct endpoint URL. The URL you are using in your code is correct for the public cloud instance of Databricks, but if you are using a Databricks deployment on a different cloud provider, the URL may be different. You can find the correct endpoint URL in the Databricks documentation for your cloud provider.
  4. Check that the account admin role is correctly assigned to your user account. You can check this by going to the Databricks web interface and navigating to the "Admin Console" > "User Management" page. Check that your user account has the "Account Admin" role assigned to it.

Hope this helps!

surojit88
New Contributor II

"Check that the token has the "Manage" permission for the "Account Management API"

Can you elaborate how to do the above from the workspace UI?

Anonymous
Not applicable

Hi @lasse lā€‹ 

Thank you for posting your question in our community! We are happy to assist you.

To help us provide you with the most accurate information, could you please take a moment to review the responses and select the one that best answers your question?

This will also help other community members who may have similar questions in the future. Thank you for your participation and let us know if you need any further assistance! 

137292
New Contributor II

From this doc: To automate Databricks account-level functionality, you cannot use Databricks personal access tokens. Instead, you must use either OAuth tokens for Databricks account admin users or service principals. For more information, see:

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you wonā€™t want to miss the chance to attend and share knowledge.

If there isnā€™t a group near you, start one and help create a community that brings people together.

Request a New Group