cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Get Started Discussions
Start your journey with Databricks by joining discussions on getting started guides, tutorials, and introductory topics. Connect with beginners and experts alike to kickstart your Databricks experience.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

S60 Eliminate SPN secrets - Connect Azure Databricks to ADLS Gen2 , Gen1 via custom AD token

rameshkumar610
New Contributor

‎06-12-2024 01:12 PM

Hi Team,
In Azure Databricks, we currently use Service Principal when creating Mount Points to Azure storage ( ADLS Gen1, ADLS Gen 2 and Azure Blob Storage).

As part of S360 action to eliminate SPN secrets, we were asked to move to SPN+certificate / MSI/ User Assigned Managed Identity.

We tried connecting using a custom Active directory (AD) token rather than a client secret through databricks. PEM certificate was used to generate the custom AD token through Java code. We tried to pass the AD token via OAUTH2 method setting below spark configuration.

 

%scala

// Set up Spark configurations for ADLS Gen2 access with Azure AD token

spark.conf.set("fs.azure.account.auth.type.<Your storage Account>.dfs.core.windows.net", "OAuth")

spark.conf.set("fs.azure.account.oauth.provider.type.<Your storage Account>.dfs.core.windows.net", "org.apache.hadoop.fs.azurebfs.oauth2.ClientCredsTokenProvider")

spark.conf.set("fs.azure.account.oauth2.client.id.<Your storage Account>.dfs.core.windows.net", "clientid")

spark.conf.set("fs.azure.account.oauth2.client.secret.<Your storage Account>.dfs.core.windows.net", "")

spark.conf.set("fs.azure.account.oauth2.client.endpoint.<Your storage Account>.dfs.core.windows.net",https://login.microsoftonline.com/<Tenanant-Id>/oauth2/v2.0/token)

spark.conf.set("fs.azure.account.oauth2.access.token.provider", access_token)

To link to an ADLS Gen 2 storage account and access files, we are encountering the following issue.

Please refer the attachment to attach error screenshot
 
If you come across similar issue would you be able to help?
Labels:
0 Kudos
5 REPLIES 5

iakshaykr
New Contributor III

‎07-13-2024 01:43 PM

I don’t think SPN certificate is supported by spark configuration.

0 Kudos

szymon_dybczak
Contributor III

‎07-13-2024 11:36 PM - edited ‎07-13-2024 11:37 PM

This is an old way of mounting storage account. Is there any reason why you guys are not using unity catalog? Because if you have unity catalog assigned to your workspace, you can just create databricks access connector (databricks managed identity) and configure access to external location using this managed identity.

0 Kudos

ramesitexp
New Contributor II

‎07-14-2024 01:00 AM - edited ‎07-14-2024 01:01 AM

Hello, @szymon_dybczak. We would want to authenticate using a Custom Token or a Keyvault Certificate rather than a secret value or other keys. If we use managed identity, we must set the complete resource level to restrict the access. We would like to authenticate using cluster or notebook level authentication...

0 Kudos

szymon_dybczak
Contributor III

‎07-14-2024 01:39 AM - edited ‎07-14-2024 01:40 AM

Unfortunately, the way you're currently trying to do this is not supported by databricks. The only valid authentication options are listed in below article: 

 

https://learn.microsoft.com/en-us/azure/databricks/connect/storage/azure-storage#--connect-to-azure-...

 

https://stackoverflow.com/questions/77437928/access-adls-gen2-using-pem-certificate-from-apache-spar...

0 Kudos

iakshaykr
New Contributor III

‎07-14-2024 05:56 AM

@ramesitexp Yes @szymon_dybczak is correct for now only valid option is below : 

OAuth 2.0 with a Microsoft Entra ID service principal

Shared access signatures (SAS)

Account keys

 

For now we are using OAuth 2.0 with a Microsoft Entra ID service principal  with client secret not certificate . 

0 Kudos

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements