Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Not able to generate Access Token for Service Principal using rest API

Go to solution
akashsharma7119
Contributor

โ€Ž03-21-2023 07:35 AM

I am trying to generate a Databricks token for a service principal (SP). I have created the SP in Azure AD and have used the Databricks rest api to add it as an admin.

When using the Databricks rest API "/api/2.0/token-management/on-behalf-of/tokens" to create a token for this SP, I get this error, {"error_code":"FEATURE_DISABLED","message":"On-behalf-of token creation for service principals is not enabled for this workspace"}.

I have enabled the personal access tokens in Admin console and I've even gone to the extent to manually add the SP to Admin permissions. I'm not sure what setting I can change in Databricks to enable this feature. Any help would be greatly appreciated.

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
callumwhite
New Contributor III

โ€Ž04-03-2023 02:37 AM

Hi all,

I believe I found a temporary fix for this -

Generate an AAD token for the service principle in Azure. Follow this guide if you don't know how to -

https://learn.microsoft.com/en-us/azure/databricks/dev-tools/api/latest/aad/service-prin-aad-token

Then using the Databricks API "token/create" endpoint, create a PAT token but use the Bearer token provided above. With this, you can control the lifespan of that PAT token for the service principle as it's controlled within Databricks, outside of the SCIM.

View solution in original post

13 REPLIES 13

Go to solution
Sivaprasad1
Valued Contributor II

โ€Ž03-21-2023 10:24 AM

The `/on-behalf-of/tokens` API endpoint is not supported in Azure Databricks.

Please generate an AAD token as described in this article: https://docs.microsoft.com/en-us/azure/databricks/dev-tools/api/latest/aad/service-prin-aad-token

0 Kudos

Go to solution
akashsharma7119
Contributor
In response to Sivaprasad1

โ€Ž03-21-2023 10:29 AM

Hi @Sivaprasad C Sโ€‹ ,

Thanks for your answer, we are following AAD tokens only as a workaround.

The problem with the AAD token with is the lifetime is restricted to 1 hour, that's the sole reason we were looking forward to generating a permanent access token for SP.

Is it possible to increase the lifespan of an AAD token while its generation?

Go to solution
karthik_p
Esteemed Contributor

โ€Ž03-22-2023 09:28 AM

@Akash Sharmaโ€‹ best way is go with managed identity instead of service principle

Go to solution
akashsharma7119
Contributor
In response to karthik_p

โ€Ž03-22-2023 10:05 AM

Have some specific requirements, where we want to hit Databricks Jobs from outside services like PowerRunbook and all, that's where only Access Token can help I believe.

Welcome to Databricks Community: Lets learn, network and celebrate together

Join our fast-growing data practitioner and expert community of 80K+ members, ready to discover, help and collaborate together while making meaningful connections. 

Click here to register and join today! 

Engage in exciting technical discussions, join a group with your peers and meet our Featured Members.