02-06-2024 01:54 PM
Hi all, is anyone getting status 403 when requesting a model serving endpoint with error message "This API is disabled for users without the workspace-access entitlement"? I am accessing my model serving endpoint with a service principal access token which has permission to query the endpoint. Things were working fine until recently.
Something must have changed with model serving that it now requires workspace-access entitlement for my service principal. Can someone from Databricks please confirm this?
02-10-2024 04:22 AM
Hi @run480, it might be a chance that recently, the workspace admin removed the entitlement from the group due to which the service principal was failing with this error.
Can you please check and confirm what the entitlements of those above-mentioned groups are?
Kind Regards,
Ayushi
02-06-2024 09:25 PM
Hi @run480 , We understand that you are facing the following error while you are trying to access the model serving endpoint with a Service Principal Access Token:
++++++++++++++++++++++++++++++++++++++
"This API is disabled for users without the workspace-access entitlement"
++++++++++++++++++++++++++++++++++++++
The error message looks like it's because of Missing Entitlement “Workspace access” on Service principle
Can you please check and confirm if the Service principal is assigned this entitlement "Workspace Access" ?
An entitlement is a property that allows a user, service principal, or group to interact with Databricks in a specified way.
In order to resolve the error, could you please try the below steps
1) Could you please assign entitlement to your service principal?
2) Generate a new token and then try to access it.
Please refer to doc: https://docs.databricks.com/dev-tools/api/latest/scim/scim-sp.html#add-entitlements
https://docs.databricks.com/administration-guide/users-groups/index.html#assigning-entitlements
Please let me know if this helps and try to test and list any other resources using the service principal token you generated.
Leave a like if this helps, followups are appreciated.
Kudos
Ayushi
02-08-2024 07:32 AM
Hi @Ayushi_Suthar , thanks for your response. You are correct, the issue is resolved by enabling the workspace-access entitlement for the service principal. But when did this become a requirement for model serving?
My model serving endpoint was working for my service principal without this entitlement until January 30th when my client started to see status 403. Can someone from Databricks please confirm this?
Thanks,
Hung.
02-08-2024 08:50 PM
Hi @run480 , Could you please confirm that the Service Principal was a member of any groups?
Please check this document might it help you to verify: https://docs.databricks.com/en/administration-guide/users-groups/service-principals.html#manage-sp-e....
Please let me know if this helps and leave a like if this helps, followups are appreciated.
Kudos
Ayushi
02-09-2024 07:50 AM
Hi @Ayushi_Suthar , the service principal is a member of two groups: account users and users. According to the link you've provided, because the service principal is a member of the users group, it would have been granted the workspace-access entitlement by default.
Are you suggesting that the workspace admin might have removed the workspace-access entitlement at the users group level but forgot to grant it to the specific service principal?
Thanks,
Hung.
02-10-2024 04:22 AM
Hi @run480, it might be a chance that recently, the workspace admin removed the entitlement from the group due to which the service principal was failing with this error.
Can you please check and confirm what the entitlements of those above-mentioned groups are?
Kind Regards,
Ayushi
Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.
If there isn’t a group near you, start one and help create a community that brings people together.
Request a New Group