Does Airflow on ADF (Managed Workflow Orchestration) require Data Factory Contributor role with AAD?

Alex Kwan 20 Reputation points
2024-06-26T15:14:23.48+00:00

I want to use Airflow on ADF (Managed Workflow Orchestration), but when I try to add a user, they do not get access even though they have been given "Viewer", "User", and "Op" roles in the Airflow UI. I integrated AAD during setup and am wondering if they also need to have "Data Factory Contributor" role for the Azure Data Factory resource or if there other specific permissions they need. I found information on custom roles and scenarios here: https://learn.microsoft.com/en-us/azure/data-factory/concepts-roles-permissions#custom-scenarios-and-custom-roles

{
  "type": "https://tools.ietf.org/html/rfc7235#section-3.1",
  "title": "Unauthorized",
  "status": 401,
  "traceId": "00-d5c6cbb2c2312393b21c8649321e218c-8294edb61ad97bfb-00"
}
Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
10,128 questions
{count} votes

Accepted answer
  1. phemanth 8,560 Reputation points Microsoft Vendor
    2024-07-02T04:19:20.46+00:00

    @Alex Kwan I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to accept the answer .

    AskI want to use Airflow on ADF (Managed Workflow Orchestration), but when I try to add a user, they do not get access even though they have been given "Viewer", "User", and "Op" roles in the Airflow UI. I integrated AAD during setup and am wondering if they also need to have "Data Factory Contributor" role for the Azure Data Factory resource or if there other specific permissions they need. I found information on custom roles and scenarios here: https://learn.microsoft.com/en-us/azure/data-factory/concepts-roles-permissions#custom-scenarios-and-custom-roles

    {
      "type": "https://tools.ietf.org/html/rfc7235#section-3.1",
      "title": "Unauthorized",
      "status": 401,
      "traceId": "00-d5c6cbb2c2312393b21c8649321e218c-8294edb61ad97bfb-00"
    }
    

    Solution:

    {
        "Name": "${ROLE_NAME}",
        "IsCustom": true,
        "Description": "Allows monitoring and managing of integration runtimes",
        "Actions": [
            "Microsoft.DataFactory/factories/integrationruntimes/read",
            "Microsoft.DataFactory/factories/integrationruntimes/start/action",
            "Microsoft.DataFactory/factories/integrationruntimes/stop/action",
            "Microsoft.DataFactory/factories/integrationruntimes/getconnectioninfo/action",
            "Microsoft.DataFactory/factories/integrationruntimes/synccredentials/action",
            "Microsoft.DataFactory/factories/integrationruntimes/upgrade/action",
            "Microsoft.DataFactory/factories/integrationruntimes/createexpressshirinstalllink/action",
            "Microsoft.DataFactory/factories/integrationruntimes/removelinks/action",
            "Microsoft.DataFactory/factories/integrationruntimes/linkedIntegrationRuntime/action",
            "Microsoft.DataFactory/factories/integrationruntimes/getObjectMetadata/action",
            "Microsoft.DataFactory/factories/integrationruntimes/refreshObjectMetadata/action",
            "Microsoft.DataFactory/factories/integrationruntimes/enableInteractiveQuery/action",
            "Microsoft.DataFactory/factories/integrationruntimes/disableInteractiveQuery/action",
            "Microsoft.DataFactory/factories/integrationruntimes/getstatus/read",
            "Microsoft.DataFactory/factories/integrationruntimes/monitoringdata/read",
            "Microsoft.DataFactory/factories/integrationruntimes/nodes/read",
            "Microsoft.DataFactory/factories/integrationruntimes/nodes/ipAddress/action"
        ],
        "NotActions": [
            "Microsoft.DataFactory/factories/integrationruntimes/write",
            "Microsoft.DataFactory/factories/integrationruntimes/delete",
            "Microsoft.DataFactory/factories/integrationruntimes/listauthkeys/action",
            "Microsoft.DataFactory/factories/integrationruntimes/regenerateauthkey/action",
            "Microsoft.DataFactory/factories/integrationruntimes/nodes/delete",
            "Microsoft.DataFactory/factories/integrationruntimes/nodes/write",
        ],
        "AssignableScopes": ["/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP"]
    }
    

    The json I posted above worked for me.

    If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information.

    If you have any other questions, please let me know. Thank you again for your time and patience throughout this issue.


    Please don’t forget to Accept Answer and Yes for "was this answer helpful" wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

0 additional answers

Sort by: Most helpful