PERMISSION_DENIED: Invalid permissions on the specified KeyVault

Question

com.databricks.common.client.DatabricksServiceHttpClientException:
PERMISSION_DENIED: Invalid permissions on the specified KeyVault https://azkv*.vault.azure.net/.
Wrapped Message:
  Status code 403,
  {"error":
    {"code":"Forbidden","message":
       "Caller is not authorized to perform action on resource.\r\n
        If role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\r\n
        Caller: name=AzureDatabricks;appid=2vf8v4a6-3304-4ab8-85cb-cd0e6f879c1d;oid=4e924d0e-ad49-4acc-baec-6d612e920502;iss=https://sts.windows.net/552af62d-5878-4131-8695-1e87b0f89945/\r\n
        Action: 'Microsoft.KeyVault/vaults/secrets/getSecret/action'\r\n
        Resource: '/subscriptions/6b60a61d-3e92-4501-8794-fd7725066113/resourcegroups/streamproject/providers/microsoft.keyvault/vaults/azkv*/secrets/clientsecret'\r\n
        Assignment: (not found)\r\n
        DecisionReason: 'DeniedWithNoValidRBAC' \r\n
        Vault: azkv*;location=eastus\r\n",
      "innererror":{"code":"ForbiddenByRbac"}
    }
  }

I have been trying to mount ADLS to databricks using service principal and secret scope. I can't access the key vault it seems.

How could I solve this?

im also facing this error com.databricks.common.client.DatabricksServiceHttpClientException: PERMISSION_DENIED: Invalid permissions on the specified KeyVault https://dbsacctkv01.vault.azure.net/ .. but when i navigate to Access Policies it says access policies not availabe — Siva, Aug 08 '23 at 12:03

score 1 · Accepted Answer · answered Jul 10 '23 at 11:00

1

You must add the identity in the access policy blade

then you set the required permissions for the secret scope

later select the corresponding service principal of your databrick

And then you create the policy

Hope this helps!

answered Jul 10 '23 at 11:00

SoySolisCarlos

736
1
6
13

Using Access policies seems to be discuraged (legacy). Is there another way? – Herr Derb Aug 21 '23 at 13:06

score 0 · Answer 2 · answered Jul 08 '23 at 11:26

First of all, check your Key-vault permission model under your Key Vault -> Settings -> Access Configuration on Azure portal.

Azure keyvault mainly allows key vault access using two permission models.

Azure role-based access control (recommended)
Vault access policy

If you are using Azure role-based access control (recommended), make sure that you have given 'Key Vault Administrator' role to your service principal from Access Control (IAM) section of your key vault.

If you are using Vault access policy, make sure that you have added policy for your service principal with necessary permissions under Access Policies section of your key vault.

Mostly, this might fix your issue.

vault access policy is working fine. but Azure role-based access control is not working. — Sanjeev, Jul 10 '23 at 11:55
At a time only 1 will work, depends on your key vault's permission model. — Yash Mochi, Jul 10 '23 at 17:49

score 0 · Answer 3 · answered Jul 19 '23 at 22:55

I just faced a similar issue. Here is how I solved it. It might help you too.

I'm using RBAC in my Key Vault. I had to give the "Key Vault Administrator" role to my Databricks Application. The problem I was having is that I couldn't find the Databricks Application when listing its object id in the Key Vault's Access control. Therefore, I followed these steps. After adding my role through the Azure CLI:

az role assignment create --assignee-object-id 11111111-1111-1111-1111-111111111111  --role "Key Vault Administrator" --scope "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}"

Then I stopped getting the RBAC error. This was independent of using a Service Principal. Good luck!

PERMISSION_DENIED: Invalid permissions on the specified KeyVault

3 Answers3