Cannot enumerate blobs in Databricks-managed storage account (11.68 TiB) - 403 AuthorizationPermissionDenied

David Nagy 0 Reputation points
2026-06-29T10:33:21.9066667+00:00

Title: Cannot enumerate blobs in Databricks-managed storage account - 403 AuthorizationPermissionDenied

Environment:

  • Storage account: <storage-account> (Standard_GRS, West Europe)
  • Account type: Databricks-managed workspace storage
  • Storage size: 11.68 TiB confirmed via Azure Monitor

Problem:

We manage a Databricks workspace with a managed storage account used for logs, artifacts, and ephemeral data. We need to clean up old data (~5-10 TiB) to reduce costs, but blob enumeration is blocked.

Details:

  1. Blob access blocked: All attempts to list/access blobs in any container return 403 AuthorizationPermissionDenied
  2. RBAC role assigned: Storage Blob Data Reader at storage account scope
  3. Storage composition (from Azure Monitor):
    • ADLS type: 6.33 TiB (749K blobs)
    • BlockBlob type: 5.35 TiB (106K blobs)
  4. What we've tried: Multiple RBAC roles, CLI, Portal, SDKs — all return 403

Questions:

  1. Are Databricks-managed storage accounts restricted to prevent customer blob access?
  2. What role/permission is needed to enumerate and clean blobs in a Databricks workspace storage account?
  3. Is there an alternative (Storage Inventory, Databricks API) to identify and delete old data?

Estimated impact: ~$100-200/month cost saving if cleanup succeeds.

Azure Databricks
Azure Databricks

An Apache Spark-based analytics platform optimized for Azure.


1 answer

Sort by: Most helpful
  1. Sina Salam 30,566 Reputation points Volunteer Moderator
    2026-06-29T16:39:19.8966667+00:00

    Hello David Nagy,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you cannot enumerate blobs in Databricks-managed storage account (11.68 TiB) - 403 AuthorizationPermissionDenied.

    The 403 AuthorizationPermissionDenied should not be treated as a simple missing-role issue.

    To fix, you will need to clean only Databricks-exposed data through Databricks-supported interfaces:

    Clean visible DBFS files with dbutils.fs or databricks fs, clean Delta tables using VACUUM, remove MLflow/job artifacts through Databricks, migrate production data out of DBFS root to Unity Catalog volumes or external locations, and raise Azure Databricks support if Azure Monitor capacity remains higher than the Databricks-visible data. For immediate savings, change workspace storage redundancy from Standard_GRS to Standard_LRS if your resilience requirements allow it. Finally, Do not directly delete unknown blobs or containers from the managed storage account, because workspace storage can contain DBFS root data, MLflow artifacts, model artifacts, job outputs, Lakeflow defaults, Cloud Fetch data, and internally generated platform data. You can use the following official resources for more details:

    I hope this is helpful. Please! Do not hesitate to let me know if you have any other questions, steps or clarifications.


    Please do not close the thread by upvoting and accepting the answer if any part of it is helpful.

    Was this answer helpful?

    0 comments No comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.