Azure Databricks API, cannot add repos using service principal and API calls

Question

I need to add Azure DevOps repos to azure databricks repo by using databricks API at this link. I am using a service principal credentials for this. The service principal is already added as admin user to databricks. With my service principal I can get the list of repos and even delete them. But when I want to add a repo to a folder, it raises the following error:

{
    "error_code": "PERMISSION_DENIED",
    "message": "Missing Git provider credentials. Go to User Settings > Git Integration to add your personal access token."
}

I am not using my own credentials to use a PAT token, instead I am getting a bearer token by sending request to https://login.microsoftonline.com/directory-id/oauth2/token and use it to authenticate. This works for get repos, delete repos and get repos/repo-id. Just for creating a repo (adding repo by using post method to /repos) it is failing.

If I still use a PAT instead of bearer token, I get the following error:

{
    "error_code": "PERMISSION_DENIED",
    "message": "Azure Active Directory credentials missing. Ensure you are either logged in with your Azure 
    Active Directory account or have setup an Azure DevOps personal access token (PAT) in User Settings > Git Integration. 
    If you are not using a PAT and are using Azure DevOps with the Repos API, you must use an AAD access token. See https://learn.microsoft.com/en-us/azure/databricks/dev-tools/api/latest/aad/app-aad-token for steps to acquire an AAD access token."
}

I am using postman to construct the requests. To generate the error I am getting I am using the following:

method: post

url-endpoint: https://adb-databricksid.azuredatabricks.net/api/2.0/repos

body:

url: azure-devops-repo
provider: azureDevOpsServices
path: /Repos/folder-name/testrepo

header:

Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbG... (Construct it by appending bearer token to key wor "Bearer")
X-Databricks-Azure-SP-Management-Token: management token (get it like bearer token by using resource https://management.core.windows.net/)
X-Databricks-Azure-Workspace-Resource-Id: /subscriptions/azure-subscription-id/resourceGroups/resourcegroup-name/providers/Microsoft.Databricks/workspaces/workspace-name

Here the screen shot of the postman:

Please note that I have used exactly same method of authentication for even creating clusters and jobs and deleting repos. Just for adding and updating repos it is failing. I'd like to know how I can resolve the error PERMISSION_DENIED mentioned above.

score 3 · Answer 1 · answered May 17 '22 at 11:43

3

To make service principal working with Databricks Repos you need following:

Create an Azure DevOps personal access token (PAT) for it - Azure DevOps Git repositories don't support service principals authentication via AAD tokens (see documentation). (The service connection for SP that you configured is used for connection to other Azure services, not to the DevOps itself).
That PAT needs to be put into Databricks workspace using Git Credentials API - it should be done when configuring first time or when token is expired. When using this API you need to use AAD token of the service principal. (btw, it could be done via Terraform as well)
After it's done, you can use Databricks Repos APIs or databricks-cli to perform operations with Repos - create/update/delete them. (see previous answer on updating the repo)

answered May 17 '22 at 11:43

Alex Ott

80,552
8
87
132

I'm a bit confused by the first point, do you create the token on behalf of the service connection (which references the service principal)? If so, how do you do that? – TheRealJimShady May 19 '23 at 10:38
1

For a long time, ADO didn't have a support for service principals. They've added something there last month, but it's not clear if they support ADO PAT for the SPs or not. Right now you need user's PAT – Alex Ott May 19 '23 at 10:43
Thank you - by 'users PAT', do you mean a human user so that the code is pulled on behalf of a developer rather than the service principal that the job would be run as? – TheRealJimShady May 19 '23 at 11:04
1

Humam PAT unfortunately. But it did change recently – Alex Ott May 19 '23 at 16:14

Axel R. · Accepted Answer · 2022-05-16T11:54:37.760

1

Have you setup the git credentials using this endpoint before creating the repo through the API ?

https://docs.databricks.com/dev-tools/api/latest/gitcredentials.html#section/Authentication

If you do not setup this first, you can get the error when trying to create a repo.

Listing & deleting a repo only require a valid authentication to Databricks (Bearer token or PAT) and doesn't require valid git credentials. When trying to create a repo, you need authorizations on the target repository that is on Azure Devops in your case.

So you need to call the git-credentials endpoint (it's the same syntax on AWS and Azure) to create it.

Once your git credentials up-to-date, the creation of the repo should work as intended.

edited May 16 '22 at 11:54

answered May 16 '22 at 09:28

Axel R.

1,141
7
22

The link you shared is for AWS. I am using Azure. But I have already authenticated to get the bearer token as you shared in the link and used the bearer token in request header. This method works on listing repos, getting a specific repo, even deleting a repo. Just for adding repos it is failing. – E. Erfan May 16 '22 at 09:34
1

Does your SPN have the rights to access the Azure DevOps repository ? – Axel R. May 16 '22 at 09:45
ah, that is a good point. Do you know how I can check? My devops and databricks are both in the same Active Directory tenant. – E. Erfan May 16 '22 at 09:52
I would check here : https://dev.azure.com///_settings/teams – Axel R. May 16 '22 at 09:56
1

I just added the SP to Azure DevOps. It was under project settings>Pipelines>Service connections. I am trying to figure out the git credential part you mentioned. – E. Erfan May 16 '22 at 10:18
I tried the git-credentials endpoint following your screen shots, for my user name I am getting unauthorized access. I wonder why, but my user has access to DevOps. I tried my complete email as well as just the name part, both raised Error 401 Unauthorized, Problem accessing /api/2.0/git-credentials. Reason: Unauthorized. – E. Erfan May 16 '22 at 14:21
One more thing, I would like to use my service principal for all these purposes, because as soon as I get the result with postman, I would put them in python scripts and make them available in Azure DevOps. How can I adapt your way for the service principal and how can I resolve that unauthorized access for my personal user to be able to test? – E. Erfan May 16 '22 at 14:23
I generated the DevOps PAT and followed your instruction with the other answer. In the second image of your answer where you used the DevOps PAT token, there is a git_username in request body. What username can I use? I tried it with mine, it worked. But I need to put this whole thing into production environment, and I prefer not to put my own username there in repo. Is there a way to utilize not my own git username, because after all, this is all being done by the service principal, and not my user? – E. Erfan May 18 '22 at 11:00
Just to complete the response, both answers together helped me resolve the issue. The main issue was my service principal didn't have the API permission. After adding AzureDatabricks to the API permission of the SP, I created a PAT with my own DevOps account and used the https://abd-databricksws.azuredatabricks.net/api/2.0/git-credentials to add it, and then it worked following what you showed. This link explains everything about the SP AAD: https://learn.microsoft.com/en-us/azure/databricks/administration-guide/users-groups/service-principals – E. Erfan May 23 '22 at 15:26
@E.Erfan, when you added your PAT as a databricks git-credentials, you used SPN acocunt auth or your personal account auth ? I supposed you used SPN auth. I called this API: `curl -X POST -H "$spnAuthHeaders" -d '{ "personal_access_token": "$myPat", "git_username": "$myEmail", "git_provider": "azureDevOpsServices" }' $url`. I got a successful response, and GET git-credentails API returned the new git-credential too. But when I tried to create a new repo from API and with the same SPN auth headers, I got following errors: (error will be given in the next comment due to length limitation) – Xiang ZHU Jan 18 '23 at 00:14
create repo api error message: `{"error_code":"PERMISSION_DENIED","message":"Invalid Git provider credentials. Go to User Settings > Git Integration to ensure that:\n1. You have entered a username with your Git provider credentials.\n2. You have selected the correct Git provider with your credentials.\n3. Your personal access token or app password has the correct repo access.\n4. Your personal access token has not expired.\n5. If you have SSO enabled with your Git provider, be sure to authorize your token."}` – Xiang ZHU Jan 18 '23 at 00:15

Azure Databricks API, cannot add repos using service principal and API calls

2 Answers2

Linked