cancel
Showing results for 
Search instead for 
Did you mean: 
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Workflow service principle owned can't checkout git repository

giuseppegrieco
New Contributor III

I am trying to deploy a workflow where the owner is a service principal and I am using git integration (backend with azure devops), when I run the workflow it says that it doesn't have permissions to checkout the repo.

run failed with error message
 Failed to checkout Git repository: PERMISSION_DENIED: Encountered an error with your Azure Active Directory credentials. Please try logging out of Azure Active Directory (https://portal.azure.com) and logging back in.

5 REPLIES 5

Debayan
Databricks Employee
Databricks Employee

Hi, To use a service principal with Repos API first add the Git PAT token for the service principal via the Git Credential API. You can then use Repos API and Jobs APIs with your service principal.

Could you please see if this helps. Also, please tag @Debayan Mukherjee​ with your next update so that I will be getting notified.

marc88
New Contributor II

Hello,

I am facing the same issue and I am using the following for the git-credentials REST api from postman
1) databricks PAT for authorization bearer token
2) personal_access_token = Azure Devops PAT
3) git_username = Service Principal display name (This is the owner/ Run-as on my databricks workflow and it needs to access notebooks from my Azure DevOps repo)
4) git_provider = azureDevOpsServices.

Questions:
1) Where am I going wrong while using the API?
2) When I choose Azure DevOps Services AAD authentication for the service principal, why doesn't the Databricks - Azure Devops (ADO) integration work without having to work with PATs?
The reason for using a service principal is, I don't want my personal ADO PAT to be used for any configuration.
Plus, service principals can't have PATs in ADO. (Another reason why SPNs are used and are more secure)
The service principal has access to both databricks workspace and ADO repo

giuseppegrieco
New Contributor III

@Debayan Mukherjee​ Hello, thanks for you answer. I am wondering creating a new credential entry as git_username should i use the service principal client id right? while for the PAT since azure devops doesn't provide a way to create it for service principal should i create one from a user account?

Yes, as GIT credentials, registers personal access token for Databricks to do operations on behalf of the user.

Anonymous
Not applicable

Hi @Giuseppe Grieco​ 

Hope everything is going great.

Just wanted to check in if you were able to resolve your issue. If yes, would you be happy to mark an answer as best so that other members can find the solution more quickly? If not, please tell us so we can help you. 

Cheers!

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group