cancel
Showing results forย 
Search instead forย 
Did you mean:ย 
Data Governance
Join discussions on data governance practices, compliance, and security within the Databricks Community. Exchange strategies and insights to ensure data integrity and regulatory compliance.
cancel
Showing results forย 
Search instead forย 
Did you mean:ย 

Unity catalog - Service Principal SCIM API account unauthorized

yvuignie
Contributor

Hi,

Is it possible to create groups at the account level in Unity Catalog as a Service Principal ?

I can manage to create groups when authenticated as a user, but not as a Service Principal. I then get an error "user not authorized".

The service principal has the role Account admin visible in the account console and can create other workspace's resources related, as well as metastore using the terraform provider with the host provided as the url of a workspace (but can't manage to use the provider with host https://accounts.azuredatabricks.net, kind of similar issue as https://community.databricks.com/s/question/0D58Y000098lPUkSAM/uc-service-principalterraform).

I tried with terraform as well as Postman via SCIM API 2.0 (Accounts) ({{baseUrl}}/accounts/:account_id/scim/v2/Groups) using the token generated with "az account get-access-token"

The error with terraform:

"Error: cannot create group: User not authorized. Using azure-client-secret auth: host=https://accounts.azuredatabricks.net, account_id=..."

I've read the documentation here: https://docs.microsoft.com/en-us/azure/databricks/administration-guide/users-groups/groups, but haven't found anything related to a service principal restriction.

Thanks for your help

18 REPLIES 18

Dusko
New Contributor III

Hello, any progress? Dealing with the same problem right now. Thanks

yvuignie
Contributor

I don't know what has been fixed in Databricks, but today it's finally working without any changes on our side.

Hi @Yannick Vuignierโ€‹ ! remember I let you know that the OAuth tokens were to preview soon? Well today, we enabled Azure AD token support for Service principals with Azure Databricks. So this means that you no longer need to use user principal tokens for API Automation with Azure DB.

yvuignie
Contributor

@Pearl Ubaruโ€‹ Thank you for your help

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you wonโ€™t want to miss the chance to attend and share knowledge.

If there isnโ€™t a group near you, start one and help create a community that brings people together.

Request a New Group