cancel
Showing results for 
Search instead for 
Did you mean: 

Not able to generate Access Token for Service Principal using rest API

akashsharma7119
Contributor

I am trying to generate a Databricks token for a service principal (SP). I have created the SP in Azure AD and have used the Databricks rest api to add it as an admin.

When using the Databricks rest API "/api/2.0/token-management/on-behalf-of/tokens" to create a token for this SP, I get this error, {"error_code":"FEATURE_DISABLED","message":"On-behalf-of token creation for service principals is not enabled for this workspace"}.

I have enabled the personal access tokens in Admin console and I've even gone to the extent to manually add the SP to Admin permissions. I'm not sure what setting I can change in Databricks to enable this feature. Any help would be greatly appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions

callumwhite
New Contributor III

Hi all,

I believe I found a temporary fix for this -

Generate an AAD token for the service principle in Azure. Follow this guide if you don't know how to -

https://learn.microsoft.com/en-us/azure/databricks/dev-tools/api/latest/aad/service-prin-aad-token

Then using the Databricks API "token/create" endpoint, create a PAT token but use the Bearer token provided above. With this, you can control the lifespan of that PAT token for the service principle as it's controlled within Databricks, outside of the SCIM.

View solution in original post

13 REPLIES 13

Sivaprasad1
Valued Contributor II

The `/on-behalf-of/tokens` API endpoint is not supported in Azure Databricks.

Please generate an AAD token as described in this article: https://docs.microsoft.com/en-us/azure/databricks/dev-tools/api/latest/aad/service-prin-aad-token

Hi @Sivaprasad C S​ ,

Thanks for your answer, we are following AAD tokens only as a workaround.

The problem with the AAD token with is the lifetime is restricted to 1 hour, that's the sole reason we were looking forward to generating a permanent access token for SP.

Is it possible to increase the lifespan of an AAD token while its generation?

karthik_p
Esteemed Contributor

@Akash Sharma​ best way is go with managed identity instead of service principle

Have some specific requirements, where we want to hit Databricks Jobs from outside services like PowerRunbook and all, that's where only Access Token can help I believe.

Welcome to Databricks Community: Lets learn, network and celebrate together

Join our fast-growing data practitioner and expert community of 80K+ members, ready to discover, help and collaborate together while making meaningful connections. 

Click here to register and join today! 

Engage in exciting technical discussions, join a group with your peers and meet our Featured Members.