Azure synapse Write access to spark pool not working

Question

Hi,

I am trying to install a package from azure devops to a synapse spark pool. I am getting an error for my managed identity that it does not have authorization to perform action 'Microsoft.Synapse/workspaces/bigDataPools/write'.
The managed identity has 'Azure Service Deploy Release Management Contributor' role assigned in azure portal.

It also has the following role assignments in synapse studio-
Synapse Compute Operator, Synapse Administrator, Synapse Apache Spark Administrator, Synapse Artifact Publisher.

Why am I still getting the unauthorized error?

Answer 1

Hello @Chavi Gupta !

I can see that the issue is in Authorization

All the RBAC roles described here

https://learn.microsoft.com/en-us/azure/synapse-analytics/security/synapse-workspace-synapse-rbac-roles

DO not contain the 'Microsoft.Synapse/workspaces/bigDataPools/write role

My suggestion:

Create a new Custom Role and add this Permissions

Select start from scratch , ADD Permissions and find :

Assign the role to the Identity and retry !

--

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards

Answer 2

Hi @Konstantinos Passadis ,

Thank you for your response! You're right that the synapse rbac roles defined don't have the permission. However these are the only available roles in synapse studio and there is no way to create additional roles. The azure portal does have a role (Azure Service Deploy Release Management Contributor) with the required permission (see screenshot) so there doesn't seem to be a need to create the custom role.
However the IAM roles in azure portal don't seem to be working in synapse studio.
Is there something that I am missing?

Answer 3

Hello @Chavi Gupta !

I think i know the issue

Can you try Assigning the Synapse Contributor role from Synapse Workspace ?

Also the RBAC roles do affect the Workspace in Azure level

In fact the Spark Pool is a managed Pool that resides on Azure utlimately

The Synapse roles however offer a more direct approach to your workspace that in general from RBAC

The selection is always up to you based on your needs !

Lets try the role and tell us !

--

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards

Answer 4

Hello @Chavi Gupta !

My suggestion is this:

Remove all roles from Workspace and add ONLY the Synapse Contributor

Wait a couple of minutes and re try

In case you get the SAME error , create a new role as i displayed earlier on Azure for this Managed Identity , on the Resource Group scope and in the Managed Resource Group scope , It is important to do both for troubleshooting !

Be patient , it may need some time for proper propagation !

We may also need to enable Audit for Synapse, but we will see

Let us know the results !

--

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards

Answer 5

Hello @Chavi Gupta !

Thanks for your input

have a look at this excellent post with the table of roles :

https://datasimantics.com/2022/07/27/synapse-permissions-from-a-different-perspective/

--

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards