我正在尝试使用在 Azure DevOps 部署期间运行的 powershell 脚本在 Azure databricks 中创建 key 保管库支持的 secret 范围。当我使用自己的凭据在本地运行时它工作正常,但当我尝试使用服务主体凭据运行它时出现错误。
我遇到的问题与 this previous post 类似但不完全相同.
这是我的脚本:
[CmdletBinding()]
Param(
$azureADDatabricksAccessToken = $env:AZUREADDATABRICKSACCESSTOKEN,
$azureManagementAccessToken = $env:AZUREMANAGEMENTACCESSTOKEN,
$workspaceResourceId,
$subscription,
$resourceGroup,
$keyVault,
$workspaceUrl,
$scope
)
$headers = @{
"Authorization" = "Bearer $azureADDatabricksAccessToken";
"X-Databricks-Azure-SP-Management-Token" = $azureManagementAccessToken;
"X-Databricks-Azure-Workspace-Resource-Id" = $workspaceResourceId;
}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$scopes = (Invoke-RestMethod -Uri "https://$workspaceUrl/api/2.0/secrets/scopes/list" -Method Get -Headers $headers).scopes
$exists = ($scopes | Where-Object {$_.name -eq $scope}).Count -gt 0
if($exists){
Write-Host "Secret scope found";
}
else{
Write-Host "Creating new secret scope";
$body = @{
"scope" = "$scope";
"scope_backend_type" = "AZURE_KEYVAULT";
"backend_azure_keyvault" =
@{
"resource_id" = "/subscriptions/$subscription/resourceGroups/$resourceGroup/providers/Microsoft.KeyVault/vaults/$keyVault";
"dns_name" = "https://$keyVault.vault.azure.net/";
};
"initial_manage_principal" = "users";
}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-RestMethod -Uri "https://$workspaceUrl/api/2.0/secrets/scopes/create" -Method Post -Headers $headers -Body (ConvertTo-Json $body)
}
我得到这样的访问 token :
$azureADDatabricksAccessToken = (az account get-access-token --resource 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d --resource-type aad-graph | ConvertFrom-Json).accessToken
$azureManagementAccessToken = (az account get-access-token --resource "https://management.core.windows.net/" | ConvertFrom-Json).accessToken
当我使用 az login -t XXXX 登录时,此方法有效,但当使用 az login --service-principal -u XXXX -p XXXX -- 作为服务主体运行时,此方法失败租户XXXX。
我收到的错误消息是:
error_code":"CUSTOMER_UNAUTHORIZED","message":"Unable to grant read/list permission to Databricks service principal to KeyVault
'XXXXX': key not found: https://graph.windows.net/
作为服务主体运行时,我是否需要为 graph.windows.net 添加一些其他访问 token header ?
最佳答案
您无法使用服务主体执行此操作 - 这是 Azure 端的限制。 documentation明确说明了这一点:
You need an Azure AD user token to create an Azure Key Vault-backed secret scope with the Databricks CLI. You cannot use an Azure Databricks personal access token or an Azure AD application token that belongs to a service principal.
附注在自动化配置工作区时,这是一个很大的痛点,但因为这是 Azure 中的问题,所以你能做的一切就是升级到他们的支持,也许会被优先考虑。
P.P.S。你看过Databricks Terraform Provider吗? - 与 Powershell + REST API 相比,它可能会让您的生活更轻松
关于powershell - Databricks API 2.0 - 使用服务主体凭据在 powershell 中创建 secret 范围,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/67502449/