cancel
Showing results for 
Search instead for 
Did you mean: 
Machine Learning
Dive into the world of machine learning on the Databricks platform. Explore discussions on algorithms, model training, deployment, and more. Connect with ML enthusiasts and experts.
cancel
Showing results for 
Search instead for 
Did you mean: 

Model serving endpoint requires workspace-access entitlement?

run480
New Contributor II

Hi all, is anyone getting status 403 when requesting a model serving endpoint with error message "This API is disabled for users without the workspace-access entitlement"? I am accessing my model serving endpoint with a service principal access token which has permission to query the endpoint. Things were working fine until recently.

Something must have changed with model serving that it now requires workspace-access entitlement for my service principal. Can someone from Databricks please confirm this?

1 ACCEPTED SOLUTION

Accepted Solutions

Ayushi_Suthar
Databricks Employee
Databricks Employee

Hi @run480, it might be a chance that recently, the workspace admin removed the entitlement from the group due to which the service principal was failing with this error. 

Can you please check and confirm what the entitlements of those above-mentioned groups are? 

Kind Regards,

Ayushi

View solution in original post

5 REPLIES 5

Ayushi_Suthar
Databricks Employee
Databricks Employee

Hi @run480 , We understand that you are facing the following error while you are trying to access the model serving endpoint with a Service Principal Access Token:

++++++++++++++++++++++++++++++++++++++

"This API is disabled for users without the workspace-access entitlement"

++++++++++++++++++++++++++++++++++++++

The error message looks like it's because of Missing Entitlement “Workspace access” on Service principle

Can you please check and confirm if the Service principal is assigned this entitlement "Workspace Access" ? 

An entitlement is a property that allows a user, service principal, or group to interact with Databricks in a specified way.

In order to resolve the error, could you please try the below steps

1) Could you please assign entitlement to your service principal?
2) Generate a new token and then try to access it.

Please refer to doc: https://docs.databricks.com/dev-tools/api/latest/scim/scim-sp.html#add-entitlements
https://docs.databricks.com/administration-guide/users-groups/index.html#assigning-entitlements

Please let me know if this helps and try to test and list any other resources using the service principal token you generated.
Leave a like if this helps, followups are appreciated.

Kudos

Ayushi

Hi @Ayushi_Suthar , thanks for your response. You are correct, the issue is resolved by enabling the workspace-access entitlement for the service principal. But when did this become a requirement for model serving?

My model serving endpoint was working for my service principal without this entitlement until January 30th when my client started to see status 403. Can someone from Databricks please confirm this?

Thanks,

Hung.

Ayushi_Suthar
Databricks Employee
Databricks Employee

Hi @run480 , Could you please confirm that the Service Principal was a member of any groups? 

Please check this document might it help you to verify: https://docs.databricks.com/en/administration-guide/users-groups/service-principals.html#manage-sp-e....

Please let me know if this helps and leave a like if this helps, followups are appreciated.
Kudos
Ayushi

Hi @Ayushi_Suthar , the service principal is a member of two groups: account users and users. According to the link you've provided, because the service principal is a member of the users group, it would have been granted the workspace-access entitlement by default.

Are you suggesting that the workspace admin might have removed the workspace-access entitlement at the users group level but forgot to grant it to the specific service principal?

 

Thanks,

Hung.

Ayushi_Suthar
Databricks Employee
Databricks Employee

Hi @run480, it might be a chance that recently, the workspace admin removed the entitlement from the group due to which the service principal was failing with this error. 

Can you please check and confirm what the entitlements of those above-mentioned groups are? 

Kind Regards,

Ayushi

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group