cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Lakebase Discussions
Ask questions, share challenges, and connect with others working on Lakebase. From troubleshooting to best practices, this is where conversations happen.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Lakebase login via REST for a service principal

Go to solution
_Lilith
New Contributor

Friday

Hi all,

I’m trying to set up REST-based communication between my Lakebase and a REST-client.

I’m following the documentation Connecting to Lakebase via REST using a service principal to obtain a workspace-level token. After that, I use the Lakebase Data API to authenticate against Lakebase and create/configure my user.

However, I’m running into a 403 error with the message:

Permission denied to set role {SP client ID}

My assumption is that this happens because I can’t grant the authenticator role to a service principal.

Does this mean that using user-based OAuth or username/password authentication is the only way to access Lakebase via REST? Neither of these options seems very secure to me.
Or am I missing a supported approach for service principals here?

Thanks in advance!

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
_Lilith
New Contributor

Friday

I created a new Lakebase project to retrace all my steps. 

0- I reused my service principal on the workspace

1- installed databricks authentication extension: 

CREATE EXTENSION IF NOT EXISTS databricks_auth;

2-Added the lakehouse service principal to the lakebase project

SELECT databricks_create_role('{UUID}', 'SERVICE_PRINCIPAL');

3- Enabled Data API to get authenticator user created

4- Finally granted authenticator role to the service principal

GRANT "{UUID}" TO authenticator;

 And this time it worked. I do not understand what the difference is to last time, maybe my authenticator user was somehow corrupted.

Thank you @balajij8 & @szymon_dybczak for your answers and suggestions

View solution in original post

0 Kudos
6 REPLIES 6

Go to solution
szymon_dybczak
Esteemed Contributor III

Friday

Hi  ,

You need to assing a proper role for your Service Principal. Go to:

  1. Roles & Databases > Add role > OAuth tab, select the service principal to grant database access to.
  2. After creating the role, you need to also grant permissons

Both those steps are well described at below docs:

Adding role: Lakebase Data API | Databricks on AWS

Grant permissions: Lakebase Data API | Databricks on AWS

 

If my answer was helpful, please consider marking it as accepted solution.

0 Kudos

Go to solution
_Lilith
New Contributor
In response to szymon_dybczak

Friday

Thanks for your reply. 

These are the steps that I have also followed and had linked to in my question.

When granting permissions, the first line of the documentation fails when I use a service principal

-- Allow authenticator to assume the identity of the user
GRANT "{service principal user ID}" TO authenticator;

ERROR: permission denied to grant role "{service principal user ID}" (SQLSTATE 42501)

 

0 Kudos

Go to solution
balajij8
Contributor III

Friday

You can change the code to use the client application ID (UUID) of the service principal as the identity name and run it.

GRANT "UUID" TO authenticator;

 

0 Kudos

Go to solution
_Lilith
New Contributor
In response to balajij8

Friday

That is what I am using. Taking the example of the documentation what I do first is:

1- Create a service principal in the workspace

2- Add the service principal as a user in lakebase, using service principals Application ID

SELECT databricks_create_role('8c01cfb1-62c9-4a09-88a8-e195f4b01b08', 'SERVICE_PRINCIPAL');

3- I get the mentioned error at the first step of giving permissions in the SQL editor:

-- Allow authenticator to assume the identity of the user
GRANT "8c01cfb1-62c9-4a09-88a8-e195f4b01b08" TO authenticator;

ERROR: permission denied to grant role "8c01cfb1-62c9-4a09-88a8-e195f4b01b08" (SQLSTATE 42501)

0 Kudos

Go to solution
balajij8
Contributor III

Friday

It's failing due to insufficient privileges. Can you check that you have 'Can Manage' access under Project Permissions in the Lake base project? If you have 'Can Use' access, you can ask for 'Can Manage' access or you can ask the admin to run the GRANT sequence to initialize the Service Principal

0 Kudos

Go to solution
_Lilith
New Contributor

Friday

I created a new Lakebase project to retrace all my steps. 

0- I reused my service principal on the workspace

1- installed databricks authentication extension: 

CREATE EXTENSION IF NOT EXISTS databricks_auth;

2-Added the lakehouse service principal to the lakebase project

SELECT databricks_create_role('{UUID}', 'SERVICE_PRINCIPAL');

3- Enabled Data API to get authenticator user created

4- Finally granted authenticator role to the service principal

GRANT "{UUID}" TO authenticator;

 And this time it worked. I do not understand what the difference is to last time, maybe my authenticator user was somehow corrupted.

Thank you @balajij8 & @szymon_dybczak for your answers and suggestions

0 Kudos
Announcements