cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Machine Learning
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Model serving endpoint requires workspace-access entitlement?

Go to solution
run480
New Contributor II

‎02-06-2024 01:54 PM

Hi all, is anyone getting status 403 when requesting a model serving endpoint with error message "This API is disabled for users without the workspace-access entitlement"? I am accessing my model serving endpoint with a service principal access token which has permission to query the endpoint. Things were working fine until recently.

Something must have changed with model serving that it now requires workspace-access entitlement for my service principal. Can someone from Databricks please confirm this?

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Ayushi_Suthar
Honored Contributor
Honored Contributor
In response to run480

‎02-10-2024 04:22 AM

Hi @run480, it might be a chance that recently, the workspace admin removed the entitlement from the group due to which the service principal was failing with this error. 

Can you please check and confirm what the entitlements of those above-mentioned groups are? 

Kind Regards,

Ayushi

View solution in original post

0 Kudos
7 REPLIES 7

Go to solution
Ayushi_Suthar
Honored Contributor
Honored Contributor

‎02-06-2024 09:25 PM

Hi @run480 , We understand that you are facing the following error while you are trying to access the model serving endpoint with a Service Principal Access Token:

++++++++++++++++++++++++++++++++++++++

"This API is disabled for users without the workspace-access entitlement"

++++++++++++++++++++++++++++++++++++++

The error message looks like it's because of Missing Entitlement “Workspace access” on Service principle

Can you please check and confirm if the Service principal is assigned this entitlement "Workspace Access" ? 

An entitlement is a property that allows a user, service principal, or group to interact with Databricks in a specified way.

In order to resolve the error, could you please try the below steps

1) Could you please assign entitlement to your service principal?
2) Generate a new token and then try to access it.

Please refer to doc: https://docs.databricks.com/dev-tools/api/latest/scim/scim-sp.html#add-entitlements
https://docs.databricks.com/administration-guide/users-groups/index.html#assigning-entitlements

Please let me know if this helps and try to test and list any other resources using the service principal token you generated.
Leave a like if this helps, followups are appreciated.

Kudos

Ayushi

0 Kudos

Go to solution
run480
New Contributor II
In response to Ayushi_Suthar

‎02-08-2024 07:32 AM

Hi @Ayushi_Suthar , thanks for your response. You are correct, the issue is resolved by enabling the workspace-access entitlement for the service principal. But when did this become a requirement for model serving?

My model serving endpoint was working for my service principal without this entitlement until January 30th when my client started to see status 403. Can someone from Databricks please confirm this?

Thanks,

Hung.

0 Kudos

Go to solution
Ayushi_Suthar
Honored Contributor
Honored Contributor
In response to run480

‎02-08-2024 08:50 PM

Hi @run480 , Could you please confirm that the Service Principal was a member of any groups? 

Please check this document might it help you to verify: https://docs.databricks.com/en/administration-guide/users-groups/service-principals.html#manage-sp-e....

Please let me know if this helps and leave a like if this helps, followups are appreciated.
Kudos
Ayushi

0 Kudos

Go to solution
run480
New Contributor II
In response to Ayushi_Suthar

‎02-09-2024 07:50 AM

Hi @Ayushi_Suthar , the service principal is a member of two groups: account users and users. According to the link you've provided, because the service principal is a member of the users group, it would have been granted the workspace-access entitlement by default.

Are you suggesting that the workspace admin might have removed the workspace-access entitlement at the users group level but forgot to grant it to the specific service principal?

 

Thanks,

Hung.

0 Kudos

Go to solution
Ayushi_Suthar
Honored Contributor
Honored Contributor
In response to run480

‎02-10-2024 04:22 AM

Hi @run480, it might be a chance that recently, the workspace admin removed the entitlement from the group due to which the service principal was failing with this error. 

Can you please check and confirm what the entitlements of those above-mentioned groups are? 

Kind Regards,

Ayushi

0 Kudos

Go to solution
Kaniz
Community Manager
Community Manager

‎02-06-2024 10:38 PM

Hey there! Thanks a bunch for being part of our awesome community! 🎉 

We love having you around and appreciate all your questions. Take a moment to check out the responses – you'll find some great info. Your input is valuable, so pick the best solution for you. And remember, if you ever need more help , we're here for you! 

Keep being awesome! 😊🚀

 

0 Kudos

Go to solution
Kaniz
Community Manager
Community Manager

‎02-12-2024 08:54 AM

Hey there! Thanks a bunch for being part of our awesome community! 🎉 

We love having you around and appreciate all your questions. Take a moment to check out the responses – you'll find some great info. Your input is valuable, so pick the best solution for you. And remember, if you ever need more help , we're here for you! 

Keep being awesome! 😊🚀

0 Kudos
Announcements
Welcome to Databricks Community: Lets learn, network and celebrate together

Join our fast-growing data practitioner and expert community of 80K+ members, ready to discover, help and collaborate together while making meaningful connections. 

Click here to register and join today! 

Engage in exciting technical discussions, join a group with your peers and meet our Featured Members.