Share via

Azure databricks unity catalog service principal

Azuretech 90 Reputation points
2023-07-05T17:02:55.9266667+00:00

I am trying to assign permissions (Account admin) to service principal in unity catalog . but it's appearing WITHOUT name in Unity catalog--> User management . Only id and status is showing. name is blank. I am not able to edit or delete this from UC.

Looks like i can assign permissions to only those Service principal in UC which has "name" attached to it . These SP are linked from the databricks work space. where it is just added as id , not with the name.

is there any way , I can assign permisison to SP in Unity catalog Metastore if there is no name attached.

Azure Databricks
Azure Databricks
An Apache Spark-based analytics platform optimized for Azure.
2,080 questions
Azure Data Catalog
Azure Data Catalog
An Azure service that serves as a system of registration and system of discovery for enterprise data assets.
100 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. PRADEEPCHEEKATLA-MSFT 85,586 Reputation points Microsoft Employee
    2023-07-13T04:23:52.79+00:00

    @Azuretech - Thanks for the question and using MS Q&A platform.

    Here is the reponse provided by the internal team: You need to update the SPN display name in Databricks Account, to make this update you need to call databricks SCIM API.

    Here an example in PowerShell:

    $spnName = "your SPN name"
$deploymentToken = "a valid Databricks Workspace token"
$unityCatalogWorkspaceUrl = "a valid databricks workspace URL, workspace needs to be attached to UC"

$spn = Get-AzADApplication -DisplayName $spnName
$spns = Invoke-DatabricksAPI -API "api/2.0/account/scim/v2/ServicePrincipals" -Method GET 

$spnUcId = ($spns.Resources | Where-Object applicationId -ieq $spn.AppId).Id

$renameSpnBody = @{
            schemas = @("urn:ietf:params:scim:api:messages:2.0:PatchOp")
            Operations =
            @(
                @{
                    op = "replace"
                    path = "displayName"
                    value = @(
                        @{
                            value = $spnName
                        }
                    )
                }
            )
        }
        $textRenameSpnBody = $renameSpnBody | convertto-json -Depth 10

        $headers = @{
            Authorization="Bearer $deploymentToken"
        }

        #please note that the following REST API call is done with Invoke-RestMethod because it will not work with Invoke-DatabricksAPI
Invoke-RestMethod -Uri "$($unityCatalogWorkspaceUrl)/api/2.0/account/scim/v2/ServicePrincipals/$($spnUcId)" -Headers $headers -Method Patch -Body $textRenameSpnBody -ContentType "application/json"

    Hope this helps. Do let us know if you any further queries.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.