Grant only one user access to storage account from a shared Databricks workspace

Question

I have a user on a Databricks workspace that I want to allow to read data from a storage account: sto-limited-access. I do not want any of the other users on that workspace to be able to read the data. From all I have read I have not found any good solutions to this. The Databricks workspace seems to be one identity and you cannot identify as a user when trying to access a storage account for example. I have tried to get access to a personal token in a notebook, using for example azure.identity and InteractiveBrowserCredential but that does not work. I do not want to paste a token that I have retrieved locally in to the notebook.

Do you have some solution that would allow one user in a shared Databricks workspace access data from a storage account without other users of that workspace getting access to it.

Best regards,
Mattias

Answer 1

I found a way using DeviceCodeCredential. This will allow you to manually create a token with the identity of the user logged in to the Databricks workspace and using the notebook.

from azure.identity import DeviceCodeCredential
from azure.storage.blob import BlobServiceClient

tentant_id = <your tentant id>
credential = DeviceCodeCredential(tenant_id=tenant_id)
blob_service_client = BlobServiceClient(account_url=<your blob storage>, credential=credential)

This will print out a webpage where you will need to paste a code printed out to verify your identity. You can then use this credential to access a blog storage that is otherwise blocked for the workspace. You will not be able to automate using this method but it can allow you to get access to resources outside the permissions of the Databricks workspace.