Share via

Using Service Principal (OID), Not Able to Access Azure Data Lake Storage from Azure Databricks Notebooks

Oindrila Chakraborty 6 Reputation points
2020-12-30T12:14:39.077+00:00

Hi All,

I am just mounting a directory of Azure Data Lake Gen2 instance in a Notebook cell using Service Principal. I fetched the Object ID (OID) of the Service Principal using the command "az ad sp show" and using the OID, I provided "Read", "Write" and "Execute" access to a directory in ADLS.

Now, from the Notebook in Databricks, I ran the commands to mount the directory, which ran successfully. Afterwards, I tried to run the command to see all the contents present in that monted directory using the command -
display(
dbutils.fs.ls("/mnt/datalakegen2oindrila/JSON-Data/")
)

but getting the following error every time -
AbfsRestOperationException: GET https://datalakegen2oindrila.dfs.core.windows.net/databricks-container?resource=filesystem&maxResults=500&directory=JSON-Data&timeout=90&recursive=false
StatusCode=403
StatusDescription=This request is not authorized to perform this operation using this permission.
ErrorCode=AuthorizationPermissionMismatch
ErrorMessage=This request is not authorized to perform this operation using this permission.
RequestId:442104df-d01f-00bd-059d-de1943000000
Time:2020-12-30T11:18:29.2658260Z

Azure Data Lake Storage
Azure Data Lake Storage
An Azure service that provides an enterprise-wide hyper-scale repository for big data analytic workloads and is integrated with Azure Blob Storage.
1,472 questions
Azure Databricks
Azure Databricks
An Apache Spark-based analytics platform optimized for Azure.
2,178 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. MartinJaffer-MSFT 26,086 Reputation points
    2020-12-30T20:04:13.923+00:00

    Hello @Oindrila Chakraborty and welcome to Microsoft Q&A. Thank you for your question.

    When using service principle for authentication, you should use the application (client ID), not the object ID.

    52246-image.png

    Please give this a try.

    Thank you for your patience,
    Martin

  2. MartinJaffer-MSFT 26,086 Reputation points
    2021-01-04T22:13:57.133+00:00

    @Oindrila Chakraborty when you granted access, did you give execute permissions, or just read/write?
    In order to list the contents, a combination of both read and execute are required. With read and not execute, this error message happens.

    0 comments
  3. ashok gupta 16 Reputation points
    2021-03-06T17:57:13.667+00:00

    @Oindrila Chakraborty , if we give any RBAC role to SP, would it not get access to all folders and containers of lake. i am trying to give my service principal access only to one container's folder. i am facing same issue. from storage explorer, i have added this SP and gave all ACL access, read/write/execute, still i am not able to access this folder from ADF.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.