Databricks Community

gustavocavsanto · ‎10-31-2024

I am trying to generate an OAuth token for my Azure Databricks workspace to access a model serving API in production. The code I’m using generates a token successfully, but I keep receiving a 401 error with the message "Missing authorization details for accessing model serving endpoints" when I try to use it.

Here's the code I'm using:

import requests

# Azure Databricks and Managed Service Principal Details
client_id = "XXXX"  # Application ID
client_secret = "XXXXX"  # Client Secret
workspace_url = "XXXXXX"  # Databricks workspace URL

# Databricks-specific endpoint URL for token generation
token_endpoint_url = f"{workspace_url}/oidc/v1/token"

# Function to get OAuth access token with all-apis scope
def get_workspace_oauth_token():
    response = requests.post(
        token_endpoint_url,
        auth=(client_id, client_secret),
        data={
            "grant_type": "client_credentials",
            "scope": "all-apis"
        }
    )
    response.raise_for_status()  # Check for request errors
    return response.json(), response.json().get("access_token")

# Generate the access token
response, access_token = get_workspace_oauth_token()
print("OAuth token generated successfully:", access_token)

The OAuth token seems to be generated without any issues. I’ve also ensured that my Service Principal has the necessary permissions to access the model serving endpoint in the Databricks workspace.

However, when using this token to call the model serving API endpoint, I get the following response:

{
    "error_code": 401,
    "message": "Missing authorization details for accessing model serving endpoints"
}

Additional Context: I have already assigned permissions to the Service Principal in Databricks. I’m using the all-apis scope to cover the model serving endpoint. Has anyone encountered this issue or have suggestions on what could be causing the 401 error?

Walter_C · ‎10-31-2024

You might need to follow steps in https://docs.databricks.com/en/machine-learning/model-serving/route-optimization.html#query-route-op... on how to fetch an OAuth token programmatically

dansayan · ‎01-27-2025

I managed to retrieve the access token but when i call the served endpoint i get the same error as the user above. my code is below. As for the SP in databricks workspace, it was given the manage permission on the served endpoint. Any suggestions?

dansayan · ‎01-27-2025

import requests as re 
import urllib.parse 

databricks_spn_secret = spn_secret_made_in_account_settings
databricks_spn_client_id = spn_id_made_in_account_settings

url = endppint_invocation_url
token_url = f"{workspace_url}/oidc/v1/token"
token_data = {
    "user": f"{databricks_spn_client_id}:{databricks_spn_secret}",
    "grant_type": "client_credentials",
    "scope": "all-apis",
    "type":"workspace_permission", 
    "object_type":"serving-endpoints", 
    "object_path":"/serving-endpoints/{endpoint_id}", 
    "actions":["manage_inference_endpoint"]
}

token_request = re.post(token_url, data = token_data, auth=re.auth.HTTPBasicAuth(databricks_spn_client_id, databricks_spn_secret))
token_request = token_request.json()

payload = {
    "inputs": {
        "question": "repeat our entire conversation history"
    },
    "params": {
        "config": {
            "configurable": {
                "session_id": "2e2442"
            }
        }
    }
}

api_token = token_request['access_token']

header = {
    "Authorization":  f"Bearer {api_token}",
    "Content-Type": "application/json"
}

resp = re.post(url, headers = header, json= payload)

print(resp.text)

dansayan · ‎02-03-2025

To anyone struggling: This was resolved by changing the URL to the endpoint of the rest api documentation url instead of the endpoint invocation url. https://docs.databricks.com/api/azure/workspace/servingendpoints/query

"/serving-endpoints/{name}/invocations"