com.databricks.common.client.DatabricksServiceHttpClientException: PERMISSION_DENIED: Invalid permissions on the specified KeyVault https://azkv*.vault.azure.net/. Wrapped Message: Status code 403, {"error":{"code":"Forbidden","message":"Caller is not authorized to perform action on resource.rnIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.rnCaller: name=AzureDatabricks;appid=2vf8v4a6-3304-4ab8-85cb-cd0e6f879c1d;oid=4e924d0e-ad49-4acc-baec-6d612e920502;iss=https://sts.windows.net/552af62d-5878-4131-8695-1e87b0f89945/rnAction: ‘Microsoft.KeyVault/vaults/secrets/getSecret/action’rnResource: ‘/subscriptions/6b60a61d-3e92-4501-8794-fd7725066113/resourcegroups/streamproject/providers/microsoft.keyvault/vaults/azkv*/secrets/clientsecret’rnAssignment: (not found)rnDecisionReason: ‘DeniedWithNoValidRBAC’ rnVault: azkv*;location=eastusrn","innererror":{"code":"ForbiddenByRbac"}}}
I have been trying to mount ADLS to databricks using service principal and secret scope.
I can’t access the key vault it seems.
2
Answers
First of all, check your Key-vault permission model under your Key Vault -> Settings -> Access Configuration on Azure portal.
Azure keyvault mainly allows key vault access using two permission models.
If you are using Azure role-based access control (recommended), make sure that you have given ‘Key Vault Administrator’ role to your service principal from Access Control (IAM) section of your key vault.
If you are using Vault access policy, make sure that you have added policy for your service principal with necessary permissions under Access Policies section of your key vault.
Mostly, this might fix your issue.
You must add the identity in the access policy blade
then you set the required permissions for the secret scope
later select the corresponding service principal of your databrick
And then you create the policy
Hope this helps!