databricksazure-data-lake-gen2azure-app-registration

Databricks unable to connect Azure Data Lake Storage Gen2: AADSTS7000222 The provided client secret keys for app are expired


We have databricks connecting to Azure Data Lake Storage Gen2. Recently it is throwing error:

AADSTS7000222 The provided client secret keys for app are expired.

So we create new secret in App Registration and then update in Azure Key Vault.

But the error remain the same.

We test connecting to other Azure service with the same secret scope and it is working. The only problem is connecting to Azure Data Lake Storage Gen2 storage account.

What could be the problem?


Solution

  • Usually the mount is configured like below.

    configs = {"fs.azure.account.auth.type": "OAuth",
              "fs.azure.account.oauth.provider.type": "org.apache.hadoop.fs.azurebfs.oauth2.ClientCredsTokenProvider",
              "fs.azure.account.oauth2.client.id": "<client-id>",
              "fs.azure.account.oauth2.client.secret": dbutils.secrets.get(scope="jgscope",key="fordbx"),
              "fs.azure.account.oauth2.client.endpoint": "https://login.microsoftonline.com/<directory-id>/oauth2/token"}
    
    
    dbutils.fs.mount(
      source = "abfss://<container-name>@<storage-name>.dfs.core.windows.net/",
      mount_point = "/mnt/jadls2",
      extra_configs = configs)
    

    If anything, you updated in portal you again set these configurations properly.

    You mentioned creation of new app registration then you need to set the client id,

    dbutils.secrets.get(scope="jgscope",key="fordbx")
    

    generated new secret and updated in key vault it should be also configure in while mounting, pass the scope and key name correctly here.

    So, after getting new client id and secret unmount current mount point and create new mount with these new values using above code.

    And check the refreshed secret using below code.

    dbutils.fs.ls("/mnt/jadls2/csv/")
    

    It should display the files under the folder.

    enter image description here

    Next, check once more the expiry date and time of secret properly.

    Follow this document for more information about mounting.