Comments (11)
I was trying to use a token created from the service principal but it is not working.
Do I have to generate a personal token to do it?
Thanks.
from azure.databricks.cicd.tools.
Can you post sample code of what you tried? I'm not sure I understand the problem.
Note that the first time a service principal connects it must Connect-Databricks with the ResourceGroup, Workspace Name, SubscriptionID & TenantId passed in (see the Readme).
from azure.databricks.cicd.tools.
What I was trying to do was the following:
Connect-Databricks -Region <LOCATION> -ApplicationId <APPLICATION_ID> -Secret <SECRET> -ResourceGroupName <RESOURCE_GROUP_NAME> -SubscriptionId <SUBSCRIPTION_ID> -WorkspaceName <DATABRICKS_NAME> -TenantId <TENANT_ID>
$token = New-DatabricksBearerToken -LifetimeSeconds 3600 -Comment "Secret Scope Creation"
Add-DatabricksSecretScope -Bearer $token -Region $location -ScopeName <SCOPE_NAME> -AllUserAccess
But it is not working, so how can I create the secret scope in an automatic way?
from azure.databricks.cicd.tools.
What error do you get? That code looks good to me. Is your service principal a contributor on the resource?
from azure.databricks.cicd.tools.
Ah check what $token looks like. You might need to do $token.token_value.
from azure.databricks.cicd.tools.
Yeah, that's works totally fine! :).
It was my fault, I didn't see that it gives a hashtable.
So, I put here the solution for anyone that tries the same:
Connect-Databricks -Region <LOCATION> -ApplicationId <APPLICATION_ID> -Secret <SECRET> -ResourceGroupName <RESOURCE_GROUP_NAME> -SubscriptionId <SUBSCRIPTION_ID> -WorkspaceName <DATABRICKS_NAME> -TenantId <TENANT_ID>
$token = New-DatabricksBearerToken -LifetimeSeconds 3600 -Comment "Secret Scope Creation"
Add-DatabricksSecretScope -Bearer $token.token_value -Region $location -ScopeName <SCOPE_NAME> -AllUserAccess
Thank you very much for the help.
from azure.databricks.cicd.tools.
hi, do we have an idea of how long can it take to be fixed? Using bearer token would not work in DevOps pipeline as we wish not to create a new bearer token in each pipeline run.
Also, does this work for key vault backed scope?
Thanks.
from azure.databricks.cicd.tools.
Just an update on this. I've made a really simple repo. It seems to be a problem with the SP need further AAD permissions. I have raised with MS Support.
$TenantId=""
$ApplicationId=""
$Secret=""
$ResourceGroupName=""
$SubscriptionId=""
$WorkspaceName=""
$BaseURL = ""
$URI = "https://login.microsoftonline.com/$TenantId/oauth2/token"
$BodyText="grant_type=client_credentials&client_id=$ApplicationId&resource=2ff814a6-3304-4ab8-85cb-cd0e6f879c1d&client_secret=$Secret"
$DatabricksToken = Invoke-RestMethod -Method GET -Body $BodyText -Uri $URI -ContentType application/x-www-form-urlencoded
$URI = "https://login.microsoftonline.com/$TenantId/oauth2/token"
$BodyText="grant_type=client_credentials&client_id=$ApplicationId&resource=https://management.core.windows.net/&client_secret=$Secret"
$ManagementToken = Invoke-RestMethod -Method GET -Body $BodyText -Uri $URI -ContentType application/x-www-form-urlencoded
$Headers = @{
"Authorization" = "Bearer $($DatabricksToken.access_token)"
"X-Databricks-Azure-SP-Management-Token" = "$($ManagementToken.access_token)"
"X-Databricks-Azure-Workspace-Resource-Id" = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Databricks/workspaces/$WorkspaceName"
}
# List Clusters works
Invoke-RestMethod -Method GET -URI "https://$BaseURL/api/2.0/clusters/list" -Headers $Headers
# List Secret Scopes works
Invoke-RestMethod -Method GET -URI "https://$BaseURL/api/2.0/secrets/scopes/list" -Headers $Headers
## Add a Secret Scope as per: https://docs.microsoft.com/en-us/azure/databricks/dev-tools/api/latest/secrets#create-a-databricks-backed-secret-scope
# Returns {"message":"Authentication is temporarily unavailable. Please try again later.","error_code":"TEMPORARILY_UNAVAILABLE"}
$body = @{}
$body['scope'] = $ScopeName
$body['initial_manage_principal'] = "users"
$BodyText = $Body | ConvertTo-Json -Depth 10
Invoke-RestMethod -Method POST -Body $BodyText -Uri "$BaseURL/api/2.0/secrets/scopes/create" -Headers $Headers
from azure.databricks.cicd.tools.
I get the same thing, both for secrets scope create and secrets put call. What are we missing?
HTTP/1.1 503 Service Unavailable
retry-after: 60
content-length: 120
content-type: application/json
date: Mon, 02 Nov 2020 08:11:25 GMT
server: databricks
connection: close
{
"message": "Authentication is temporarily unavailable. Please try again later.",
"error_code": "TEMPORARILY_UNAVAILABLE"
}
from azure.databricks.cicd.tools.
Finally got confirmation from Microsoft regarding this. AAD Auth only works on secrets for users, not service principals. Currently these tools only support service principals (which is by design as they are for unattended scenarios).
It is on the backlog to be addressed - however I doubt that this will happen quickly.
from azure.databricks.cicd.tools.
It's been almost a year and no progress on this?
from azure.databricks.cicd.tools.
Related Issues (20)
- Extend `Add-DatabricksJarJob`: allow setting the maximum concurrent runs HOT 2
- Add-DatabrickSecretScope fails if scope exists HOT 1
- Uploading DBFS file, not appearing in filesystem.
- Adding a Secret Scope now returning HTTP 400 all of a sudden HOT 1
- Make parameter `-JarPath` optional (deprecated since 2016)
- EmailAlertsOnFailure exists on Add-DatabricksNotebookJob but it doesn't exist on Add-DatabricksSparkSubmitJob
- .dbc file import problem
- Example of how to connect via Service Principal in DevOps YAML
- databricksDeployDBFSFilesTask fails to copy files
- Service Principal Authentication is not working for Notebook Deployemnt Task HOT 1
- Close HOT 1
- Error while create new DataBricks cluster HOT 1
- Feature Request - Complete Deployment of Code to a Workspace
- Add-DatabricksLibrary works with Python whl files?
- Documentation leads to error
- Databricks Deploy Secret ends in (400) Bad Request
- Add-DatabricksDBFSFile does not support uploading hidden files in Powershell Core
- Add support for azure_attributes.availability Spot instances
- Add-DatabricksMemberToGroup uses Invoke-RestMethod with the -OutFile parameter but $OutFile isn't set
- Deploy Databricks files to DBFS task donot work with PLE enabled workspace HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from azure.databricks.cicd.tools.