"User not authorized" error when trying to deploy access connector on Azure

virbickt
New Contributor III

‎12-27-2022 05:42 AM

Hi,

I have been trying to deploy Access Connector resource on Azure using Azure Pipelines (YAML) and a Bicep template but I cannot find a solution to this error:

ERROR: {"status":"Failed","error":{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"PreconditionFailed","message":"{\r\n  \"error\": {\r\n    \"code\": \"403\",\r\n    \"message\": \"User not authorized.\"\r\n  }\r\n}"}]}}

I have slimmed down the YAML pipeline I am using to deploy the access connector to the minimum:

trigger: none
 
pool:
  vmImage: windows-latest
 
stages:
  - stage: Deploy
    jobs:
    - job:
      displayName: Deploy Access Connector
      steps:
      - task: AzureCLI@2
        displayName: Azure CLI
        inputs:
          azureSubscription: 'tv-service-connection'
          scriptType: pscore
          scriptLocation: inlineScript
          inlineScript: |
            az deployment group create --resource-group devops-development-rg --template-file create-access-connector-2.bicep

where `tv-service-connection` is the name of the service connection, `devops-development-rg` is the name of the resource group and `create-access-connector-2.bicep` is the bicep template. The bicep template I am using is taken from the official documentation with minor modifications:

param location string = resourceGroup().location
 
resource accessConnector 'Microsoft.Databricks/accessConnectors@2022-04-01-preview' = {
  name: 'accessConnectordbtv'
  location: location
  identity: {
    type: 'None'
  }
  properties: {}
}

The things I have tried without any success:

  • assigning Owner or/and Contributor rights to the service connection on both subscription/resource group level
  • az login with the details of service connection to run az group deployment with the bicep template (still get the same error)
  • using Terraform for deployment as per official tutorial
  • assigning Microsoft Graph API IdentityProvider.ReadWrite.All permission to the service connection as suggested in this post which seems to be the closest to the problem I'm facing.

Any suggestions would be extremely appreciated as I am getting pretty desperate at this point.

Aviral-Bhardwaj
Esteemed Contributor III

‎12-27-2022 08:34 PM

The job you are running try to give that user privilege

AviralBhardwaj
0 Kudos

virbickt
New Contributor III

‎12-27-2022 11:39 PM

Thanks for the suggestion, but I already have Owner privileges on a subscription level assigned to both myself and the service connection used for that job. Any other suggestions?

ThomasVanBilsen
New Contributor III

‎01-04-2023 11:44 PM

Hi,

I fixed this issue by adding the service principal to the list of service principals in the Account Console. My guess is that after the access connector is created an API call is made to the Databricks account and the service principal making that call needs to be known in the Databricks account. In your case, my guess is that the service principal is not yet registered there.

View solution in original post