Databricks Community

yvuignie · ‎09-09-2022

Hi,

Is it possible to create groups at the account level in Unity Catalog as a Service Principal ?

I can manage to create groups when authenticated as a user, but not as a Service Principal. I then get an error "user not authorized".

The service principal has the role Account admin visible in the account console and can create other workspace's resources related, as well as metastore using the terraform provider with the host provided as the url of a workspace (but can't manage to use the provider with host https://accounts.azuredatabricks.net, kind of similar issue as https://community.databricks.com/s/question/0D58Y000098lPUkSAM/uc-service-principalterraform).

I tried with terraform as well as Postman via SCIM API 2.0 (Accounts) ({{baseUrl}}/accounts/:account_id/scim/v2/Groups) using the token generated with "az account get-access-token"

The error with terraform:

"Error: cannot create group: User not authorized. Using azure-client-secret auth: host=https://accounts.azuredatabricks.net, account_id=..."

I've read the documentation here: https://docs.microsoft.com/en-us/azure/databricks/administration-guide/users-groups/groups, but haven't found anything related to a service principal restriction.

Thanks for your help

Dusko · ‎10-19-2022

Hello, any progress? Dealing with the same problem right now. Thanks

yvuignie · ‎10-21-2022

I don't know what has been fixed in Databricks, but today it's finally working without any changes on our side.

User16741082858 · ‎10-21-2022

Hi @Yannick Vuignier ! remember I let you know that the OAuth tokens were to preview soon? Well today, we enabled Azure AD token support for Service principals with Azure Databricks. So this means that you no longer need to use user principal tokens for API Automation with Azure DB.