Git Product home page Git Product logo

Comments (11)

matallanas avatar matallanas commented on May 18, 2024

I was trying to use a token created from the service principal but it is not working.
Do I have to generate a personal token to do it?

Thanks.

from azure.databricks.cicd.tools.

simondmorias avatar simondmorias commented on May 18, 2024

Can you post sample code of what you tried? I'm not sure I understand the problem.
Note that the first time a service principal connects it must Connect-Databricks with the ResourceGroup, Workspace Name, SubscriptionID & TenantId passed in (see the Readme).

from azure.databricks.cicd.tools.

matallanas avatar matallanas commented on May 18, 2024

What I was trying to do was the following:

Connect-Databricks -Region <LOCATION> -ApplicationId <APPLICATION_ID> -Secret <SECRET> -ResourceGroupName <RESOURCE_GROUP_NAME> -SubscriptionId <SUBSCRIPTION_ID> -WorkspaceName <DATABRICKS_NAME> -TenantId <TENANT_ID>

$token = New-DatabricksBearerToken -LifetimeSeconds 3600 -Comment "Secret Scope Creation"

Add-DatabricksSecretScope -Bearer $token -Region $location -ScopeName <SCOPE_NAME>  -AllUserAccess

But it is not working, so how can I create the secret scope in an automatic way?

from azure.databricks.cicd.tools.

simondmorias avatar simondmorias commented on May 18, 2024

What error do you get? That code looks good to me. Is your service principal a contributor on the resource?

from azure.databricks.cicd.tools.

simondmorias avatar simondmorias commented on May 18, 2024

Ah check what $token looks like. You might need to do $token.token_value.

from azure.databricks.cicd.tools.

matallanas avatar matallanas commented on May 18, 2024

Yeah, that's works totally fine! :).
It was my fault, I didn't see that it gives a hashtable.
So, I put here the solution for anyone that tries the same:

Connect-Databricks -Region <LOCATION> -ApplicationId <APPLICATION_ID> -Secret <SECRET> -ResourceGroupName <RESOURCE_GROUP_NAME> -SubscriptionId <SUBSCRIPTION_ID> -WorkspaceName <DATABRICKS_NAME> -TenantId <TENANT_ID>

$token = New-DatabricksBearerToken -LifetimeSeconds 3600 -Comment "Secret Scope Creation"

Add-DatabricksSecretScope -Bearer $token.token_value -Region $location -ScopeName <SCOPE_NAME>  -AllUserAccess

Thank you very much for the help.

from azure.databricks.cicd.tools.

ratnakarsinha avatar ratnakarsinha commented on May 18, 2024

hi, do we have an idea of how long can it take to be fixed? Using bearer token would not work in DevOps pipeline as we wish not to create a new bearer token in each pipeline run.

Also, does this work for key vault backed scope?

Thanks.

from azure.databricks.cicd.tools.

simondmorias avatar simondmorias commented on May 18, 2024

Just an update on this. I've made a really simple repo. It seems to be a problem with the SP need further AAD permissions. I have raised with MS Support.

$TenantId=""
$ApplicationId=""
$Secret=""
$ResourceGroupName=""
$SubscriptionId=""
$WorkspaceName=""
$BaseURL = ""

$URI = "https://login.microsoftonline.com/$TenantId/oauth2/token"
$BodyText="grant_type=client_credentials&client_id=$ApplicationId&resource=2ff814a6-3304-4ab8-85cb-cd0e6f879c1d&client_secret=$Secret"
$DatabricksToken = Invoke-RestMethod -Method GET -Body $BodyText -Uri $URI -ContentType application/x-www-form-urlencoded

$URI = "https://login.microsoftonline.com/$TenantId/oauth2/token"
$BodyText="grant_type=client_credentials&client_id=$ApplicationId&resource=https://management.core.windows.net/&client_secret=$Secret"
$ManagementToken = Invoke-RestMethod -Method GET -Body $BodyText -Uri $URI -ContentType application/x-www-form-urlencoded

$Headers = @{
    "Authorization" = "Bearer $($DatabricksToken.access_token)"
    "X-Databricks-Azure-SP-Management-Token" = "$($ManagementToken.access_token)"
    "X-Databricks-Azure-Workspace-Resource-Id" = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Databricks/workspaces/$WorkspaceName"
}

# List Clusters works
Invoke-RestMethod -Method GET -URI "https://$BaseURL/api/2.0/clusters/list" -Headers $Headers

# List Secret Scopes works
Invoke-RestMethod -Method GET -URI "https://$BaseURL/api/2.0/secrets/scopes/list" -Headers $Headers


## Add a Secret Scope as per: https://docs.microsoft.com/en-us/azure/databricks/dev-tools/api/latest/secrets#create-a-databricks-backed-secret-scope
# Returns  {"message":"Authentication is temporarily unavailable. Please try again later.","error_code":"TEMPORARILY_UNAVAILABLE"}
$body = @{}
$body['scope'] = $ScopeName
$body['initial_manage_principal'] = "users"
$BodyText = $Body | ConvertTo-Json -Depth 10
Invoke-RestMethod -Method POST -Body $BodyText -Uri "$BaseURL/api/2.0/secrets/scopes/create" -Headers $Headers

from azure.databricks.cicd.tools.

aravish avatar aravish commented on May 18, 2024

I get the same thing, both for secrets scope create and secrets put call. What are we missing?

HTTP/1.1 503 Service Unavailable
retry-after: 60
content-length: 120
content-type: application/json
date: Mon, 02 Nov 2020 08:11:25 GMT
server: databricks
connection: close

{
"message": "Authentication is temporarily unavailable. Please try again later.",
"error_code": "TEMPORARILY_UNAVAILABLE"
}

from azure.databricks.cicd.tools.

simondmorias avatar simondmorias commented on May 18, 2024

Finally got confirmation from Microsoft regarding this. AAD Auth only works on secrets for users, not service principals. Currently these tools only support service principals (which is by design as they are for unattended scenarios).
It is on the backlog to be addressed - however I doubt that this will happen quickly.

from azure.databricks.cicd.tools.

faGH avatar faGH commented on May 18, 2024

It's been almost a year and no progress on this?

from azure.databricks.cicd.tools.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.