Unable to grant read/list permission to Databricks service principal to KeyVault

[subashsivaji]

As mentioned in the docs, I have contributor permission on xxxxx key vault - but still I get below error when creating Azure Key vault backed secret scope via azure databricks UI.

Unable to grant read/list permission to Databricks service principal to KeyVault 'https://xxxxx.vault.azure.net/': Status code 403, {"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"0f05b151-e87e-4427-9b4b-6219d1928ccf","date":"2020-11-06T13:51:33"}}

I even created key vault access policy for AzureDatabricks application (resource id 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d)

What more permissions we need?

I see in some forum that person who actually creates the key vault scope in the Azure Databricks UI, must have permission in Azure AD to create service principal? Is this true? if so why the docs are not highlighting this?

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 810a218a-80a5-2da0-b540-26347f9ef908
• Version Independent ID: 41c2a12f-99b6-0faa-500b-3e4308cd00de
• Content: Secret scopes - Azure Databricks
• Content Source: databricks/security/secrets/secret-scopes.md
• Service: azure-databricks
• GitHub Login: @mssaperla
• Microsoft Alias: saperla

[himanshusinha-msft]

Thanks for the ask . At this time we are reviewing the ask and we will reply back as soon as we can .

[himanshusinha-msft]

We have assigned the issue to the content author . They will evaluate & update the document as appropriate

[JosefinaArayaTapia]

u have a solution?

[dkataria1990]

I am also having the same issue. What is the resolution?

[subashsivaji]

The person who actually creates the key vault secret scope in the Azure Databricks UI, must have permission in Azure Active Directory to create service principals. Either get that permission or ask a person who has that permission to create the secret scope in azure databricks on behalf. I went for the latter option.

This issue is still open - because the documentation doesn't explicitly/clearly states this. Not every person who works on Azure Databricks will have Azure AD permission to create service principal.

[dkataria1990]

That solution is not ideal. Is this possible to do via terraform on provisioning? I have access to an SPN which has contributor access, so will be able to run pipelines or cli commands etc. I have manually granted key vault permission to other managed identities, however databricks only seems to have an enteprise application, and when I grant this key vault access (get, list), I get the same error when creating a scope.

[leifbro]

Created Databricks doc ticket, https://databricks.atlassian.net/browse/DOC-2242

[leifbro]

From a docs perspective, this issue was resolved in our latest update to https://docs.microsoft.com/en-us/azure/databricks/security/secrets/secret-scopes#create-an-azure-key-vault-backed-secret-scope-using-the-databricks-cli. If there's anything more we can do in the doc, please let us know.

please-close

[vincent-yeah]

Hi, I have a same issue if I try to create new KeyVault backed secret scope in Databricks with SPN, I Login to Azure with SPN credentials, geterate bearer and managment Tokens and user REST API tocreate KeyVault backed secret scope. Spn has allowed API permissions, granted consent and owner role in Databricks and KeyVault. But thats error { "error_code": "CUSTOMER_UNAUTHORIZED", "message": "Unable to grant read/list permission to Databricks service principal to KeyVault 'https://keyvault-databricks-demo.vault.azure.net/': key not found: https://graph.windows.net/" } Is there any solution. Or is it only possible for userAccessToken. So no change making it work with SPN accessTokens?

[byronbayer]

I am having the same issue as @vincent-yeah I get Unable to grant read/list permission to Databricks service principal to KeyVault 'https://mykvname.vault.azure.net/': key not found: https://management.core.windows.net/"

[ebibibi]

I have sake issue.

[RachidAZ]

anybody knows the name of the created service principal behind the scene ? it doesn't look like it's AzureDatabricks enterprise app. Thanks.

[MiguelElGallo]

Hello, Any suggestions how overcome this? Thanks!

[RachidAZ]

@MiguelElGallo what message are you getting? make sure the key vault networking settings are whitelisting your cluster.

[MiguelElGallo]

@RachidAZ Using API or CLI (latest version) I get:

{"error_code":"CUSTOMER_UNAUTHORIZED","message":"Unable to grant read/list permission to Databricks service principal
#    to KeyVault 'https://<keyvault-name>.vault.azure.net/':

when using a Service Principal.

If I use my user (Login opens a browser window) it works for both CLI and API.

I found the exact same case in this [repo/file] (https://github.com/Azure-Samples/virtual-network-integration-recipes/blob/d4e65885892241fc95c164275738cdacf4130dc1/src/az-databricks/deploy/scripts/manage-databricks-secret-scope.sh#L106)

Thanks!

[RachidAZ]

@MiguelElGallo

"You need an Azure AD user token to create an Azure Key Vault-backed secret scope with the Databricks CLI. You cannot use an Azure Databricks personal access token or an Azure AD application token that belongs to a service principal."

https://learn.microsoft.com/en-us/azure/databricks/security/secrets/secret-scopes#create-an-azure-key-vault-backed-secret-scope-using-the-databricks-cli