Azure synapse Write access to spark pool not working

Chavi Gupta 121 Microsoft Employee

Hi,

I am trying to install a package from azure devops to a synapse spark pool. I am getting an error for my managed identity that it does not have authorization to perform action 'Microsoft.Synapse/workspaces/bigDataPools/write'.
The managed identity has 'Azure Service Deploy Release Management Contributor' role assigned in azure portal.

It also has the following role assignments in synapse studio-
Synapse Compute Operator, Synapse Administrator, Synapse Apache Spark Administrator, Synapse Artifact Publisher.

Why am I still getting the unauthorized error?

Accepted answer

Konstantinos Passadis 19,166 Reputation points MVP

2024-08-09T22:26:00.1666667+00:00

Hello @Chavi Gupta !

I can see that the issue is in Authorization

All the RBAC roles described here

https://learn.microsoft.com/en-us/azure/synapse-analytics/security/synapse-workspace-synapse-rbac-roles

DO not contain the 'Microsoft.Synapse/workspaces/bigDataPools/write role

My suggestion:

Create a new Custom Role and add this Permissions

Select start from scratch , ADD Permissions and find :

Assign the role to the Identity and retry !

--

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards
Please sign in to rate this answer.
Konstantinos Passadis 19,166 Reputation points MVP

2024-08-10T08:46:20.7066667+00:00

Ignore this!!
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

5 additional answers

Konstantinos Passadis 19,166 Reputation points MVP

2024-08-09T23:57:18.06+00:00

Hello @Chavi Gupta !

I suppose this is what you did right ?

Kindly let us know !

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards
Please sign in to rate this answer.
Chavi Gupta 121 Reputation points Microsoft Employee

2024-08-10T04:35:28.9833333+00:00

Hello @Konstantinos Passadis ,

I don't recognize the steps from the screenshot above.
But what did finally work for me was the creation of a new custom role with the required permissions and resource group scope. I then assigned the IAM role in azure portal to the MI for the synapse resource.

Looks like something in the "Azure Service Deploy Release Management Contributor" is not working correctly which is why the permissions were not propagating through it! But the new custom role worked!

Just tried this out and it works!
Thanks for your help! :)

Chavi Gupta 121 Reputation points Microsoft Employee

2024-08-10T04:36:56.23+00:00

Btw curious as to what the above screenshot that you shared was from?

Konstantinos Passadis 19,166 Reputation points MVP

2024-08-10T08:49:56.62+00:00

Hello @Chavi Gupta !

Thank you

It is the Custom Role ! and the other is from Synapse Portal !

Glad you found it and thank you for Accepting !

Regards
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure synapse Write access to spark pool not working

5 additional answers

Your answer