cancel
Showing results for 
Search instead for 
Did you mean: 
Machine Learning
Dive into the world of machine learning on the Databricks platform. Explore discussions on algorithms, model training, deployment, and more. Connect with ML enthusiasts and experts.
cancel
Showing results for 
Search instead for 
Did you mean: 

Model serving endpoint requires workspace-access entitlement?

run480
New Contributor II

Hi all, is anyone getting status 403 when requesting a model serving endpoint with error message "This API is disabled for users without the workspace-access entitlement"? I am accessing my model serving endpoint with a service principal access token which has permission to query the endpoint. Things were working fine until recently.

Something must have changed with model serving that it now requires workspace-access entitlement for my service principal. Can someone from Databricks please confirm this?

1 ACCEPTED SOLUTION

Accepted Solutions

Ayushi_Suthar
Honored Contributor
Honored Contributor

Hi @run480, it might be a chance that recently, the workspace admin removed the entitlement from the group due to which the service principal was failing with this error. 

Can you please check and confirm what the entitlements of those above-mentioned groups are? 

Kind Regards,

Ayushi

View solution in original post

7 REPLIES 7

Ayushi_Suthar
Honored Contributor
Honored Contributor

Hi @run480 , We understand that you are facing the following error while you are trying to access the model serving endpoint with a Service Principal Access Token:

++++++++++++++++++++++++++++++++++++++

"This API is disabled for users without the workspace-access entitlement"

++++++++++++++++++++++++++++++++++++++

The error message looks like it's because of Missing Entitlement “Workspace access” on Service principle

Can you please check and confirm if the Service principal is assigned this entitlement "Workspace Access" ? 

An entitlement is a property that allows a user, service principal, or group to interact with Databricks in a specified way.

In order to resolve the error, could you please try the below steps

1) Could you please assign entitlement to your service principal?
2) Generate a new token and then try to access it.

Please refer to doc: https://docs.databricks.com/dev-tools/api/latest/scim/scim-sp.html#add-entitlements
https://docs.databricks.com/administration-guide/users-groups/index.html#assigning-entitlements

Please let me know if this helps and try to test and list any other resources using the service principal token you generated.
Leave a like if this helps, followups are appreciated.

Kudos

Ayushi

Hi @Ayushi_Suthar , thanks for your response. You are correct, the issue is resolved by enabling the workspace-access entitlement for the service principal. But when did this become a requirement for model serving?

My model serving endpoint was working for my service principal without this entitlement until January 30th when my client started to see status 403. Can someone from Databricks please confirm this?

Thanks,

Hung.

Ayushi_Suthar
Honored Contributor
Honored Contributor

Hi @run480 , Could you please confirm that the Service Principal was a member of any groups? 

Please check this document might it help you to verify: https://docs.databricks.com/en/administration-guide/users-groups/service-principals.html#manage-sp-e....

Please let me know if this helps and leave a like if this helps, followups are appreciated.
Kudos
Ayushi

Hi @Ayushi_Suthar , the service principal is a member of two groups: account users and users. According to the link you've provided, because the service principal is a member of the users group, it would have been granted the workspace-access entitlement by default.

Are you suggesting that the workspace admin might have removed the workspace-access entitlement at the users group level but forgot to grant it to the specific service principal?

 

Thanks,

Hung.

Ayushi_Suthar
Honored Contributor
Honored Contributor

Hi @run480, it might be a chance that recently, the workspace admin removed the entitlement from the group due to which the service principal was failing with this error. 

Can you please check and confirm what the entitlements of those above-mentioned groups are? 

Kind Regards,

Ayushi

Kaniz_Fatma
Community Manager
Community Manager

Hey there! Thanks a bunch for being part of our awesome community! 🎉 

We love having you around and appreciate all your questions. Take a moment to check out the responses – you'll find some great info. Your input is valuable, so pick the best solution for you. And remember, if you ever need more help , we're here for you! 

Keep being awesome! 😊🚀

 

Kaniz_Fatma
Community Manager
Community Manager

Hey there! Thanks a bunch for being part of our awesome community! 🎉 

We love having you around and appreciate all your questions. Take a moment to check out the responses – you'll find some great info. Your input is valuable, so pick the best solution for you. And remember, if you ever need more help , we're here for you! 

Keep being awesome! 😊🚀

Join 100K+ Data Experts: Register Now & Grow with Us!

Excited to expand your horizons with us? Click here to Register and begin your journey to success!

Already a member? Login and join your local regional user group! If there isn’t one near you, fill out this form and we’ll create one for you to join!