Databricks using Service Principal to access ADLS with 403 error

Question

My organization has two Databricks workspaces in the same tenant: workspace A and workspace B.

In workspace A the following code uses Service Principal X and successfully authenticates against Container Y in Storage Account Z

If I run exactly the same code in workspace B, the following error pops up:

Operation failed: "This request is not authorized to perform this operation.", 403, GET, https://dzot.dfs.core.windows.net/curated?upn=false&resource=filesystem&maxResults=5000&directory=analytics&timeout=90&recursive=false, AuthorizationFailure, "This request is not authorized to perform this operation. RequestId:d354gsd3-2516-708d-3dad-cc3429506000 Time:2022-11-25T16:49:55.9537035Z"

All the answers to similar questions to this one recommend granting Storage Data Blob Contributor to the Service Principal. But in this case the issue is not with the Service Principal. Why can the Service Principal authenticate a connection in Workspace A but not in Workspace B?

Answer 1

Hello @Gonzalo Melosevich Fernandez ,

Thanks for the question and using MS Q&A platform.

As per the repro, I'm able to run the same code in multiple workpaces without any issue.

Workspace One:

Workspace Two:

You may experience this error message due to following reasons:

Due to passing invalid path or spelling mistakes in the path or due to missing permissions.

Hope this will help. Please let us know if any further queries.

------------------------------

• Please don't forget to click on or upvote button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how
• Want a reminder to come back and check responses? Here is how to subscribe to a notification
• If you are interested in joining the VM program and help shape the future of Q&A: Here is jhow you can be part of Q&A Volunteer Moderators