Azure databricks to Azure synapse Service Principal Authentication

Question

Azure databricks to Azure synapse Service Principal Authentication

sakuraime 2,341

The screen capture mention it's in the public preview . And I am testing . while I pass .option("enableServicePrincipalAuth","true") \

It still through the error from JDBC

what's the .option("url", ......) going to be ??

2 answers

Your answer

Answer 1

Hello @sakuraime ,

How to find the URL?

Go to Dedicated SQL Pool => Under settings => Connection Strings => Select JDBC (SQL authentication)

Sample code:

# Otherwise, set up the Blob storage account access key in the notebook session conf.  
spark.conf.set(  
  "fs.azure.account.key.<your-storage-account-name>.blob.core.windows.net",  
  "<your-storage-account-access-key>")  
  
# Get some data from an Azure Synapse table.  
df = spark.read \  
  .format("com.databricks.spark.sqldw") \  
  .option("url", "jdbc:sqlserver://<the-rest-of-the-connection-string>") \  
  .option("tempDir", "wasbs://<your-container-name>@<your-storage-account-name>.blob.core.windows.net/<your-directory-name>") \  
  .option("forwardSparkAzureStorageCredentials", "true") \  
  .option("dbTable", "<your-table-name>") \  
  .load()  
  
# Load data from an Azure Synapse query.  
df = spark.read \  
  .format("com.databricks.spark.sqldw") \  
  .option("url", "jdbc:sqlserver://<the-rest-of-the-connection-string>") \  
  .option("tempDir", "wasbs://<your-container-name>@<your-storage-account-name>.blob.core.windows.net/<your-directory-name>") \  
  .option("forwardSparkAzureStorageCredentials", "true") \  
  .option("query", "select x, count(*) as cnt from table group by x") \  
  .load()  
  
# Apply some transformations to the data, then use the  
# Data Source API to write the data back to another table in Azure Synapse.  
  
df.write \  
  .format("com.databricks.spark.sqldw") \  
  .option("url", "jdbc:sqlserver://<the-rest-of-the-connection-string>") \  
  .option("forwardSparkAzureStorageCredentials", "true") \  
  .option("dbTable", "<your-table-name>") \  
  .option("tempDir", "wasbs://<your-container-name>@<your-storage-account-name>.blob.core.windows.net/<your-directory-name>") \  
  .save()

Tested from my end:

For more details, refer Azure Databricks - Azure Synapse Analytics and Write Data from Azure Databricks to Azure Dedicated SQL Pool(formerly SQL DW) using ADLS Gen 2.

Hope this helps. Do let us know if you any further queries.

------------

Please don’t forget to Accept Answer and Up-Vote wherever the information provided helps you, this can be beneficial to other community members.

sakuraime 2,341 Reputation points

2021-03-23T12:34:31.083+00:00

I believe you are using SQL authentication instead of Service Principal Authentication
PRADEEPCHEEKATLA 90,641 Reputation points Moderator

2021-03-25T05:51:11.21+00:00

Hello @sakuraime ,

For Service Principal method, please check the below answer.

------------

Please don’t forget to Accept Answer and Up-Vote wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

PRADEEPCHEEKATLA 90,641 Moderator

Hello @sakuraime ,

Connecting Azure Synapse using OAuth 2.0 with a service principal for authentication is available from Databricks Runtime 8.1 and above.

Below are the steps to connect Azure Synapse using OAuth 2.0 with a service principal for authentication:

Step1: Provide service Principal – permissions to Azure Synapse Analytics and storage account.

Azure Synapse Analytics: Go to workspace => Under settings => SQL Active Directory admin => Click on Set admin => Add registered application => Click on save.

Azure Storage temp account: Go to Storage account => Access Control (IAM) => Add role assignment => Select Role: Storage Blob Data Contributor Select: register application => Click on save.

Step2: Define Service Principal credentials for the Azure Synapse Analytics and storage account.

Python Code:

# Defining the service principal credentials for the Azure storage account  
spark.conf.set("fs.azure.account.auth.type", "OAuth")  
spark.conf.set("fs.azure.account.oauth.provider.type",  "org.apache.hadoop.fs.azurebfs.oauth2.ClientCredsTokenProvider")  
spark.conf.set("fs.azure.account.oauth2.client.id", "<application-id>")  
spark.conf.set("fs.azure.account.oauth2.client.secret", "<service-credential>")  
spark.conf.set("fs.azure.account.oauth2.client.endpoint", "https://login.microsoftonline.com/<directory-id>/oauth2/token")  
  
# Defining a separate set of service principal credentials for Azure Synapse Analytics (If not defined, the connector will use the Azure storage account credentials)  
spark.conf.set("spark.databricks.sqldw.jdbc.service.principal.client.id", "<application-id>")  
spark.conf.set("spark.databricks.sqldw.jdbc.service.principal.client.secret", "<service-credential>")

Step3: Set the enableServicePrincipalAuth option in the connection configuration.

Sample URL: "url", "jdbc:sqlserver://<workspacename>.sql.azuresynapse.net:1433;database=<databasename>;encrypt=true;trustServerCertificate=true;hostNameInCertificate=*.sql.azuresynapse.net;loginTimeout=30"

Load data from an Azure Synapse query.

Python Code:

df = spark.read \  
  .format("com.databricks.spark.sqldw") \  
  .option("url", "jdbc:sqlserver://<the-rest-of-the-connection-string>") \  
  .option("tempDir", "abfss://<your-container-name>@<your-storage-account-name>.dfs.core.windows.net/<your-directory-name>") \  
  .option("forwardSparkAzureStorageCredentials", "true") \  
  .option("dbTable", "<your-table-name>") \  
  .load()

Write data to the table in Azure Synapse.

Python Code:

df.write \  
  .format("com.databricks.spark.sqldw") \  
  .option("url", "jdbc:sqlserver://<the-rest-of-the-connection-string>") \  
  .option("forwardSparkAzureStorageCredentials", "true") \  
  .option("dbTable", "<your-table-name>") \  
  .option("tempDir", "abfss://<your-container-name>@<your-storage-account-name>.dfs.core.windows.net/<your-directory-name>") \  
  .save()

Hope this helps. Do let us know if you any further queries.

------------

Please don’t forget to Accept Answer and Up-Vote wherever the information provided helps you, this can be beneficial to other community members.

PRADEEPCHEEKATLA 90,641 Reputation points Moderator

2021-03-26T10:37:58.21+00:00

Hello @sakuraime ,
Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.
Take care & stay safe!
sakuraime 2,341 Reputation points

2021-03-26T13:12:41.987+00:00

cool let me try later on
sakuraime 2,341 Reputation points

2021-03-26T13:27:44.967+00:00

still can't
PRADEEPCHEEKATLA 90,641 Reputation points Moderator

2021-04-06T07:47:29.897+00:00

Hello @sakuraime ,

Have you provided service Principal – permissions to Azure Synapse Analytics as shown above?
sakuraime 2,341 Reputation points

2021-04-06T13:47:23.123+00:00

yes of coz
PRADEEPCHEEKATLA 90,641 Reputation points Moderator

2021-04-07T04:10:13.077+00:00

Hello @sakuraime ,

This is strange, if you are using the above url it will not ask you to specify the JDBC credentials. As per the above reponse I'm able to successfully execute the query and able to read and write from Azure Synapse.

For a deeper investigation and immediate assistance on this issue, if you have a support plan you may file a support ticket.
sakuraime 2,341 Reputation points

2021-04-07T06:17:38.933+00:00

okk.. let me test again . and also see if you can share your version of your databricks
cluster .
PRADEEPCHEEKATLA 90,641 Reputation points Moderator

2021-04-07T09:02:27.027+00:00

Hello @sakuraime ,

Connecting Azure Synapse using OAuth 2.0 with a service principal for authentication is available from Databricks Runtime 8.1 and above.

I had tested with Databricks Runtime version : 8.1 (includes Apache Spark 3.1.1, Scala 2.12)
sakuraime 2,341 Reputation points

2021-04-07T13:02:56.123+00:00

oh.. ic . I changed it to 8.1 , however I got another error
PRADEEPCHEEKATLA 90,641 Reputation points Moderator

2021-04-08T03:56:06.5+00:00

Hello @sakuraime ,

You will receive this error message due to lack of permission on the storage account. I would request you to add Storage Blob Data Contributor role to the Azure Storage account as shown below:

Azure Storage temp account: Go to Storage account => Access Control (IAM) => Add role assignment => Select Role: Storage Blob Data Contributor Select: register application => Click on save.

Hope this helps.
sakuraime 2,341 Reputation points

2021-04-09T04:23:10.883+00:00

yes already is
PRADEEPCHEEKATLA 90,641 Reputation points Moderator

2021-04-09T09:23:45.043+00:00

Hello @sakuraime ,

The error 403 indicates, you don't have permissions of the storage account which you using. Make sure you have followed the above post carefully to successfully authenticate via service principal.
Aiman Md Uslim 1 Reputation point

2021-06-24T03:16:48.167+00:00

Hi I have a follow up question for these procedures. I am trying to implement permission separation by only allowing Service Principals (SP) to write to only certain schemas in the database. Can this be done in this way? If it can, how would I do it?

Share via

Azure databricks to Azure synapse Service Principal Authentication

2 answers

Your answer