This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 77%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
We are trying to execute a Synapse spark job definition from a REST API call (via Logic Apps using a Managed Identity) but receiving the error
The bearer token specified with the request is not a valid one. Please specify a valid bearer token.
However, if we run the "Get Job Definitions" or "Get Job Definitions by Workspace" (two GET operations), it works fine. This suggests insufficient permissions for the POST/execute option but unable to find any details to what we should set, anyone know what to try?
OK, discovered it is kicking off the job definition but that itself is failing on a permission
Exception in thread "main" Operation failed: "This request is not authorized to perform this operation using this permission.", 403, HEAD, https://<xx>.dfs.core.windows.net/synapse/synapse/workspaces/<xx>/batchjobs/Spark%20job%20definition%201/x.py?upn=false&action=getStatus&timeout=90
at org.apache.hadoop.fs.azurebfs.services.AbfsRestOperation.execute(AbfsRestOperation.java:166)
at org.apache.hadoop.fs.azurebfs.services.AbfsClient.getPathStatus(AbfsClient.java:414)
at org.apache.hadoop.fs.azurebfs.AzureBlobFileSystemStore.getFileStatus(AzureBlobFileSystemStore.java:551)
at org.apache.hadoop.fs.azurebfs.AzureBlobFileSystem.getFileStatus(AzureBlobFileSystem.java:430)
...
And discovered from there it needed Contributor to storage (didn't seem to make a difference as Data Contributor)
But that leaves an additional issue that while the job appears to run, it still generates an error in Logic Apps
The bearer token specified with the request is not a valid one. Please specify a valid bearer token.
But this time with no errors showing in the Spark logs
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 44%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
The required permission is workspaces/integrationRuntimes/useCompute/action (doc). The minimum role that allows this is 'Synapse Compute Operator'. 'Synapse Contributor' and 'Synapse Administrator' also work, but allows additional actions that you may not want your MSI to have.
Thanks, our process is initiated even though we don't have one of those roles (We had Data Factory Contributor and Contributor to get it working) but will try those to see if it at least takes the error away
I had a similar experience where I could get the job to start but got the error back. 'Synapse Compute Operator' plus 'Storage Blob Contributor: on the storage account allowed the job to start and did not return an error in my tests. If you could let me know if this resolves the error I'd appreciate it.