Databricks API 2.0 - Can't create KEYVAULT secrets scopes using SPN credentials

2
votes

I want to create a Secret Scope via the Databricks REST API 2.0.

When I use SPN for az login I have next error when run request /api/2.0/secrets/scopes/create

{"error_code":"CUSTOMER_UNAUTHORIZED","message":"Unable to grant read/list permission to Databricks service principal to KeyVault 'https://dtbrcks-kvxxx.vault.azure.net/': key not found: https://management.core.windows.net/"}%

But when I use User login same code worked fine!

SPN and User have same permissions on Databricks(Owner/Admin) and Keyvault (Owner)resources.

What necessary for make this operation using SPN?

For get access token I use commands

az login --service-principal

access_token=$(az account get-access-token \
                   --resource 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d \
                   --query "accessToken" \
                   --output tsv)

And next code for create Secret Scope with Azure Keyvault:

curl -X POST \-H "Authorization: Bearer $access_token" \
-H 'Content-Type: application/json' \
-d '{"scope":"keyvault-scope","scope_backend_type":"AZURE_KEYVAULT","backend_azure_keyvault":{"resource_id":"/subscriptions/$subid/resourceGroups/$rg/providers/Microsoft.KeyVault/vaults/$kvname","dns_name":"$kv_url"}}' \
"$dtbrcks_url/api/2.0/secrets/scopes/create"
1
azure-devopsazure-active-directoryazure-keyvaultazure-databricks

1 Answers

-1
votes

If your service principal is the Owner of the databricks workspace, and meets any of the following conditions,

enter image description here

you must provide the X-Databricks-Azure-Workspace-Resource-Id header and a management access token for the Azure Resource Management endpoint when you call the API.

To get the management access token, just change the resource to https://management.core.windows.net.

management_access_token=$(az account get-access-token \
                   --resource 'https://management.core.windows.net' \
                   --query "accessToken" \
                   --output tsv)

Then pass it in the request like this link.

curl -X POST \-H "Authorization: Bearer $access_token" \
-H 'X-Databricks-Azure-SP-Management-Token: <management-access-token>' \
-H 'Content-Type: application/json' \
-d '{"scope":"keyvault-scope","scope_backend_type":"AZURE_KEYVAULT","backend_azure_keyvault":{"resource_id":"/subscriptions/$subid/resourceGroups/$rg/providers/Microsoft.KeyVault/vaults/$kvname","dns_name":"$kv_url"}}' \
"$dtbrcks_url/api/2.0/secrets/scopes/create"

Or you can use Non-admin user login, prior to this login, the service principal must be added to the workspace either as part of the admin user login or using the Add service principal endpoint, then you can use the AAD token to call the API directly.