cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Machine Learning
Dive into the world of machine learning on the Databricks platform. Explore discussions on algorithms, model training, deployment, and more. Connect with ML enthusiasts and experts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Model serving endpoint requires workspace-access entitlement?

Go to solution
run480
New Contributor II

โ€Ž02-06-2024 01:54 PM

Hi all, is anyone getting status 403 when requesting a model serving endpoint with error message "This API is disabled for users without the workspace-access entitlement"? I am accessing my model serving endpoint with a service principal access token which has permission to query the endpoint. Things were working fine until recently.

Something must have changed with model serving that it now requires workspace-access entitlement for my service principal. Can someone from Databricks please confirm this?

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Ayushi_Suthar
Databricks Employee
Databricks Employee
In response to run480

โ€Ž02-10-2024 04:22 AM

Hi @run480, it might be a chance that recently, the workspace admin removed the entitlement from the group due to which the service principal was failing with this error. 

Can you please check and confirm what the entitlements of those above-mentioned groups are? 

Kind Regards,

Ayushi

View solution in original post

0 Kudos
5 REPLIES 5

Go to solution
Ayushi_Suthar
Databricks Employee
Databricks Employee

โ€Ž02-06-2024 09:25 PM

Hi @run480 , We understand that you are facing the following error while you are trying to access the model serving endpoint with a Service Principal Access Token:

++++++++++++++++++++++++++++++++++++++

"This API is disabled for users without the workspace-access entitlement"

++++++++++++++++++++++++++++++++++++++

The error message looks like it's because of Missing Entitlement โ€œWorkspace accessโ€ on Service principle

Can you please check and confirm if the Service principal is assigned this entitlement "Workspace Access" ? 

An entitlement is a property that allows a user, service principal, or group to interact with Databricks in a specified way.

In order to resolve the error, could you please try the below steps

1) Could you please assign entitlement to your service principal?
2) Generate a new token and then try to access it.

Please refer to doc: https://docs.databricks.com/dev-tools/api/latest/scim/scim-sp.html#add-entitlements
https://docs.databricks.com/administration-guide/users-groups/index.html#assigning-entitlements

Please let me know if this helps and try to test and list any other resources using the service principal token you generated.
Leave a like if this helps, followups are appreciated.

Kudos

Ayushi

0 Kudos

Go to solution
run480
New Contributor II
In response to Ayushi_Suthar

โ€Ž02-08-2024 07:32 AM

Hi @Ayushi_Suthar , thanks for your response. You are correct, the issue is resolved by enabling the workspace-access entitlement for the service principal. But when did this become a requirement for model serving?

My model serving endpoint was working for my service principal without this entitlement until January 30th when my client started to see status 403. Can someone from Databricks please confirm this?

Thanks,

Hung.

0 Kudos

Go to solution
Ayushi_Suthar
Databricks Employee
Databricks Employee
In response to run480

โ€Ž02-08-2024 08:50 PM

Hi @run480 , Could you please confirm that the Service Principal was a member of any groups? 

Please check this document might it help you to verify: https://docs.databricks.com/en/administration-guide/users-groups/service-principals.html#manage-sp-e....

Please let me know if this helps and leave a like if this helps, followups are appreciated.
Kudos
Ayushi

0 Kudos

Go to solution
run480
New Contributor II
In response to Ayushi_Suthar

โ€Ž02-09-2024 07:50 AM

Hi @Ayushi_Suthar , the service principal is a member of two groups: account users and users. According to the link you've provided, because the service principal is a member of the users group, it would have been granted the workspace-access entitlement by default.

Are you suggesting that the workspace admin might have removed the workspace-access entitlement at the users group level but forgot to grant it to the specific service principal?

 

Thanks,

Hung.

0 Kudos

Go to solution
Ayushi_Suthar
Databricks Employee
Databricks Employee
In response to run480

โ€Ž02-10-2024 04:22 AM

Hi @run480, it might be a chance that recently, the workspace admin removed the entitlement from the group due to which the service principal was failing with this error. 

Can you please check and confirm what the entitlements of those above-mentioned groups are? 

Kind Regards,

Ayushi

0 Kudos

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you wonโ€™t want to miss the chance to attend and share knowledge.

If there isnโ€™t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements