azureazure-databricks

Permission Denied Error When Running Azure Databricks Notebook via REST API Using Service Principal

I'm attempting to run a notebook on Azure Databricks using the Databricks REST API. I have a Python script that triggers the notebook execution based on a specific path, with authentication handled by a Service Principal (SPN).

I've granted the SPN access to the relevant repositories and cluster to ensure it has the necessary permissions to run the notebook. However, when I try to execute the notebook, I encounter the following

Postman error:

{
    "error_code": "PERMISSION_DENIED",
    "message": "User 'my-spn' does not have Manage Run or Owner or Admin permissions on job 246372968680205"
}

When I use Python to code to run the notebook, I get below error:

"error":"run failed with error message\n Unable to access the notebook \"/Repos/test\". Either it does not exist, or the identity used to run this job, Databricks-POC, lacks the required permissions."

APIs Used: Job Creation API:

URL: https://myurl.azuredatabricks.net/api/2.1/jobs/create

Payload:

{
    "format": "MULTI_TASK",
    "max_concurrent_runs": 1,
    "name": "TEST-1",
    "tasks": [
        {
            "notebook_task": {
                "notebook_path": "/Workspace/Repos/test"
            },
            "task_key": "Test_1",
            "existing_cluster_id" : "vattkymf"
        }
    ],
    "webhook_notifications": {}
}

This API creates a job and returns a job ID.

{
    "job_id": 38022546101247
}

Job Execution API:

URL: https://myurl.azuredatabricks.net/api/2.1/jobs/run-now

Payload:

{
    "job_id": 38022546101247
}

All APIs are using a Bearer token created with the SPN.

Issue:

Even though the SPN has been granted access to the cluster and repository, there's still a permissions issue with the job itself. Despite double-checking all the permissions and paths, the issue persists.

I have verified that the SPN has access to the cluster, repositories, and the specific job, and I also ensured that the notebook path is correct. However, the error suggests that the SPN does not have sufficient permissions on the job itself. Let me know if some other details are required.

Note : I have removed some sensitive data.

Solution

  • Your first API call to create the job is succeeding. But you have not assigned the permissions to your SPN to execute that new job.

    If you look at the API documentation, you will see the access_control_list object which is an array.

    Among other things, it has the service_principal_name and the permission_level which can be CAN_MANAGE | IS_OWNER | CAN_MANAGE_RUN | CAN_VIEW which seems to be exactly the error you are receiving.

    When creating the job try adding the permissions as well in the payload.

    "access_control_list":["user_name":"my-spn","group_name":"","service_principal_name":"your_app_id","permission_level":"CAN_MANAGE_RUN"]

    Also, "format" is deprecated from the 2.1 API so you can remove it from the payload.