cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Get Started Discussions
Start your journey with Databricks by joining discussions on getting started guides, tutorials, and introductory topics. Connect with beginners and experts alike to kickstart your Databricks experience.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

API call fails to initiate create Service Principal secret

Go to solution
zibi
New Contributor

Monday

Hi,

I've constructed an AWS lambda function which is used to auto rotate my Service Principal Secret in the Databricks account. 
Authentication is setup with OAuth2, the api call for the token generation is successful but when executing the api call to create secret it fails with Bad Request

Below is a result tested using Postman. I've masked the account_id and client_id. 

POST https://accounts.cloud.databricks.com/api/2.0/accounts/q243434j-mock-121k-23kj-342131kjhhh3/serviceP...

Headers
Authorisation: Bearer jsdjshadadhashd348795h235i52ih35i2h5...

Content-Type: application/json

Body

{
  "lifetime""31536000s"
}

 

{"error_code":"BAD_REQUEST","message":"Invalid service principal id 'q243434j-t373-121k-23kj-342131kjhhh3'","details":[{"@type":"type.googleapis.com/google.rpc.RequestInfo","request_id":"728394h-mock-40b1-86ce-1d1991u91283","serving_data":""}]}

The SP client_id was quadruple checked. Any assistance would be appreciated. 

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
zibi
New Contributor
In response to zibi

Thursday

Problem resolved, the I changed the Service Principal ID to use the ID instead of the UUID, this worked perfectly, definitely an error in the documentation.

 

View solution in original post

0 Kudos
3 REPLIES 3

Go to solution
mark_ott
Databricks Employee
Databricks Employee

Wednesday

Your error message, "Invalid service principal id," typically indicates a mismatch or formatting problem with the service principal's unique identifier in your API request. Although you checked the client_id, this value is not always the one needed for the API—in fact, Databricks distinguishes between client_id (application ID) and the internal service principal UUID or databricks-specific id. Using the wrong type or mixing up the Databricks account_id and service principal id often causes this specific BAD_REQUEST.​

Key Troubleshooting Steps

  • Double-check that the service principal ID used in the API endpoint is the actual Databricks service principal UUID—not the client_id or any Azure identifier. You can get this ID from the Databricks "User management" tab in the account console under the Service Principals section.​

  • Confirm you are targeting the right API endpoint: For secret creation, the path should be /api/2.0/accounts/{account_id}/servicePrincipals/{service_principal_id}/credentials/secrets with both {account_id} and {service_principal_id} exactly as Databricks expects them.​

  • The "lifetime" field in your request body should be given as a number in seconds (not a string with an "s" suffix). For example: { "lifetime": 31536000 }.

Example Correct API Request

Additional Notes

  • If using automation, ensure you're not accidentally swapping the account_id and service principal id in the URL.​

  • Databricks UI and the REST API sometimes refer to IDs differently than Azure AD. Always copy the identifiers straight from the Databricks account console.​

Verifying these details should help fix the BAD_REQUEST error. If you are still facing the issue, log into the Databricks account console, list your service principals, and copy their UUID from there for use in your API call.​

0 Kudos

Go to solution
zibi
New Contributor
In response to mark_ott

Wednesday

I followed instructions to the "T" and can confirm I was using service principal UUID as the servicePrincipal ID in the URL and modified the body to reflect as suggested.

{
  "lifetime"31536000
}
Getting below error now after changing the body.
{
    "error_code""MALFORMED_REQUEST",
    "message""Could not parse request object: Error parsing Duration\n at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1, column: 21]\n at [Source: UNKNOWN; line: 1, column: 21]",
    "details": [
        {
            "@type""type.googleapis.com/google.rpc.RequestInfo",
            "request_id""6a543eec-3682-4d13-964a-70ddcb8b0738",
            "serving_data"""
        }
    ]
}
0 Kudos

Go to solution
zibi
New Contributor
In response to zibi

Thursday

Problem resolved, the I changed the Service Principal ID to use the ID instead of the UUID, this worked perfectly, definitely an error in the documentation.

 

0 Kudos

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local community—sign up today to get started!

Sign Up Now
Announcements