question

RaffaeleBrivio-1767 avatar image
0 Votes"
RaffaeleBrivio-1767 asked RaffaeleBrivio-1767 answered

How to call Synapse Data Plane rest api from within Synapse?

In my Synapse workplace I have an integration pipeline that needs to get information on pipeline runs (running or finished) by passing to it the pipelineRunId as a parameter. So Synapse should, in some sense, perform a search on itself and I found the perfect rest endpoint in this docs.
I build a simple Web Activity to test the api, using Managed Identity as auth method, but I keep getting this error:

{
"code":"InvalidTokenAuthenticationAudience",
"message":"Token Authentication failed with SecurityTokenInvalidAudienceException - IDX10214: Audience validation failed. Audiences: '[PII is hidden]'. Did not match: validationParameters.ValidAudience: '[PII is hidden]' or validationParameters.ValidAudiences: '[PII is hidden]'.",
"failureType":"UserError",
"target":"Get Info",
"details":[]
}

the redacted web activity:

{
"name": "Get Info",
"type": "WebActivity",
"dependsOn": [],
"policy": {
"timeout": "7.00:00:00",
"retry": 0,
"retryIntervalInSeconds": 30,
"secureOutput": false,
"secureInput": false
},
"userProperties": [],
"typeProperties": {
"url": "https://{MYWORKPLACE}.dev.azuresynapse.net/pipelineruns/{MYPIPELINERUNID}?api-version=2020-12-01",
"connectVia": {
"referenceName": "AutoResolveIntegrationRuntime",
"type": "IntegrationRuntimeReference"
},
"method": "GET",
"authentication": {
"type": "MSI",
"resource": "https://management.azure.com/"
}
}
}

This seems to be an issue with synapse itself since with the same method I can successfully call other endpoints like https://management.azure.com/subscriptions?api-version=2020-01-01

What am I missing?










azure-synapse-analytics
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

RaffaeleBrivio-1767 avatar image
0 Votes"
RaffaeleBrivio-1767 answered

Managed to solve it, I just needed to pay more attention to the docs.

Synapse has 2 type of api:

  • classic azure management rest api

  • data-plane rest pi

synapse internal object management is done through data plane api, so things like pipelines, activities, triggers, notebooks etc are in the scope of data plane api and to use them with Managed Identity auth you just have to specify the correct Resource in order for the token issuer to include the right scope. So for Data Plane api you would wanna use
"https://dev.azuresynapse.net/" as resource, opposing to the classic "https://management.core.windows.net/".

see also here:
https://dev.to/jayendran/azure-synapse-analytics-workspaces-deploy-and-debug-part-2-l5c
https://docs.microsoft.com/en-us/rest/api/synapse/#common-parameters-and-headers



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.