synapse notebook error

HariKrishna-7067 120 Reputation points
2023-06-05T14:02:44.41+00:00

My synapse notebook, spark session configured to use service principle to storage account.

When I run this notebook from pipeline, getting the error.

Operation failed: "This request is not authorized to perform this operation using this permission.", 403

In the pipeline I am using the notebook activity to run the script.

As per the document, I have provided Storage Blob Data Contributor to access the storage account. What could be the reason for this error.

My second question, when I create the linked service with service principle the linked service works fine but the notebook failed. below error
: Status code: -1 error code: null error message: Auth failure: HTTP Error -1CustomTokenProvider getAccessToken threw java.io.IOException : POST failed with 'Bad Request' (400) and message: {"result":"DependencyError","errorId":"BadRequest","errorMessage":

Azure Synapse Analytics
Azure Synapse Analytics
An Azure analytics service that brings together data integration, enterprise data warehousing, and big data analytics. Previously known as Azure SQL Data Warehouse.
5,072 questions
0 comments No comments
{count} votes

Accepted answer
  1. Bhargava-MSFT 31,196 Reputation points Microsoft Employee
    2023-06-05T21:56:51.5166667+00:00

    Hello Hari Krishna
    Welcome to the MS Q&A platform.

    Synapse notebooks use Azure Active Directory (Azure AD) pass-through to access the ADLS Gen2 accounts. If you are running the notebook directly on the synapse, your account needs Storage Blob Data Contributor to access the ADLS Gen2 account (or folder).

    If you are running the notebook via the pipeline, the synapse workspace managed service identity needs Storage Blob Data Contributor to access the ADLS Gen2 account (or folder).

    For your other question, the error message seems like there was an authentication failure when trying to access a resource.

    Please check if you provided the storage blob data contributor access

    https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/using-the-workspace-msi-to-authenticate-a-synapse-notebook-when/ba-p/2330029

    Follow the above tech community article and run the code using the service principle.

    You can use either managed identity or the service principal

    Please try and let me know if you still have any issues further.

    1 person found this answer helpful.

3 additional answers

Sort by: Most helpful
  1. Calvin Mwangi 5 Reputation points Student Ambassador
    2023-06-05T22:27:58.6233333+00:00

    Hi there @hari krishna
    The error you are encountering indicates that the request being made from your notebook or pipeline is not authorized to perform the operation with the given permission. There could be a few reasons for this:

    1. Insufficient or incorrect permissions: Double-check the permissions assigned to the service principal being used by your notebook or pipeline.Ensure that it has the necessary permissions.
    2. Role assignment not propagated: Sometimes, it may take some time for the role assignments to propagate fully. Ensure that sufficient time has passed since the role assignment was made.

    Regarding your second question, the error message suggests an authentication failure during the process of obtaining an access token for the service principal.

    • Azure AD configuration issues: Verify that the AAD application associated with the service principal has the necessary permissions and configurations for the desired access. Additionally, ensure that the AAD tenant is accessible and functioning properly.
    • Incorrect service principal credentials: Double-check that the service principal credentials (client ID, client secret, tenant ID) provided in the linked service configuration are accurate and match the corresponding Azure Active Directory (AAD) application.

    Also you may want to review the detailed logs and error stack traces to identify any specific error codes or messages that could provide more insight into the cause of the issue.

    1 person found this answer helpful.

  2. M Leo 1 Reputation point
    2023-06-07T13:58:18.3766667+00:00

    One thing that is not mentioned in Microsoft's guides for setting up Synapse nor in most support responses is that Spark Pools cannot access firewall-enabled storage accounts. See:
    https://learn.microsoft.com/en-us/troubleshoot/azure/synapse-analytics/spark/spark-jobexec-storage-access#unsupported-scenarios

    0 comments No comments

  3. M Leo 1 Reputation point
    2023-06-07T13:58:55.5766667+00:00

    duplicated answer

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.