Share via

What permission do I need on Azure key vault to DatabricksServiceHttpClientException access issue?

Sarvesh Pandey 71 Reputation points
2023-10-19T14:10:31.92+00:00

Hi,

I am facing issue while accessing data from ADLS through Databricks. I have creadted

Application, Key Vault, Scoped credentials but some permission is missing which i am not able to track it.

Error msg -

'
com.databricks.common.client.DatabricksServiceHttpClientException: PERMISSION_DENIED: Invalid permissions on the specified KeyVault https://olympvalut.vault.azure.net/. Wrapped Message: Status code 403, "{"error":{"code":"Forbidden","message":"Caller is not authorized to perform action on resource.\r\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\r\nCaller: name=AzureDatabricks;appid=2ff814a6-3304-4ab8-85cb-cd0e6f879c1d;oid=cee8a469-6f49-4ac5-8b84-8ecbec2a93b6;iss=https://sts.windows.net/3792f008-c438-4dbb-82e0-34399e08f3fb/\r\nAction: 'Microsoft.KeyVault/vaults/secrets/getSecret/action'\r\nResource: '/subscriptions/1ca7f5ec-ad9e-4a2c-8e9d-fb6d95e81239/resourcegroups/tokyoolymp/providers/microsoft.keyvault/vaults/olympvalut/secrets/databricksolymopic'\r\nAssignment: (not found)\r\nDecisionReason: 'DeniedWithNoValidRBAC' \r\nVault: olympValut;location=eastus\r\n","innererror":{"code":"ForbiddenByRbac"}}}"'

Please let me know what permission i am mission.

I have assigned IAM role Key Vault Administration and my Id is having contributor role.

What is the impact of RBAC in Key vault?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,453 questions
Azure Data Lake Storage
Azure Data Lake Storage
An Azure service that provides an enterprise-wide hyper-scale repository for big data analytic workloads and is integrated with Azure Blob Storage.
1,562 questions
Azure Databricks
Azure Databricks
An Apache Spark-based analytics platform optimized for Azure.
2,540 questions
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JimmySalian-2011 42,511 Reputation points
    2023-10-19T17:48:35.4466667+00:00

    Hi Sarvesh,

    It seems you are missing the Service Principal permissions - If you are using Vault access policy, make sure that you have added policy for your service principal with necessary permissions under Access Policies section of your key vault.The permissions are missing from the Identity blade and you will need to add via the Portal, Please check the solution over here and it should assist you - https://stackoverflow.com/questions/76642169/permission-denied-invalid-permissions-on-the-specified-keyvault

    Hope this helps.

    JS

    ==

    Please Accept the answer if the information helped you. This will help us and others in the community as well.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.