Databricks API 2.0 - 使用服务主体凭据在 powershell 中创建秘密范围
Databricks API 2.0 - create secret scope in powershell using service principal credentials
我正在尝试使用在 Azure DevOps 部署期间 运行s 的 powershell 脚本在 Azure databricks 中创建一个密钥保管库支持的秘密范围。当我 运行 在本地使用我自己的凭据时它工作正常,但是当我尝试使用服务主体凭据 运行 它时出现错误。
我遇到的问题与 this previous post.
相似但不完全相同
这是我的脚本:
[CmdletBinding()]
Param(
$azureADDatabricksAccessToken = $env:AZUREADDATABRICKSACCESSTOKEN,
$azureManagementAccessToken = $env:AZUREMANAGEMENTACCESSTOKEN,
$workspaceResourceId,
$subscription,
$resourceGroup,
$keyVault,
$workspaceUrl,
$scope
)
$headers = @{
"Authorization" = "Bearer $azureADDatabricksAccessToken";
"X-Databricks-Azure-SP-Management-Token" = $azureManagementAccessToken;
"X-Databricks-Azure-Workspace-Resource-Id" = $workspaceResourceId;
}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$scopes = (Invoke-RestMethod -Uri "https://$workspaceUrl/api/2.0/secrets/scopes/list" -Method Get -Headers $headers).scopes
$exists = ($scopes | Where-Object {$_.name -eq $scope}).Count -gt 0
if($exists){
Write-Host "Secret scope found";
}
else{
Write-Host "Creating new secret scope";
$body = @{
"scope" = "$scope";
"scope_backend_type" = "AZURE_KEYVAULT";
"backend_azure_keyvault" =
@{
"resource_id" = "/subscriptions/$subscription/resourceGroups/$resourceGroup/providers/Microsoft.KeyVault/vaults/$keyVault";
"dns_name" = "https://$keyVault.vault.azure.net/";
};
"initial_manage_principal" = "users";
}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-RestMethod -Uri "https://$workspaceUrl/api/2.0/secrets/scopes/create" -Method Post -Headers $headers -Body (ConvertTo-Json $body)
}
我的访问令牌是这样的:
$azureADDatabricksAccessToken = (az account get-access-token --resource 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d --resource-type aad-graph | ConvertFrom-Json).accessToken
$azureManagementAccessToken = (az account get-access-token --resource "https://management.core.windows.net/" | ConvertFrom-Json).accessToken
这在我使用 az login -t XXXX 登录时有效,但当 运行 作为服务主体使用 az login --service-principal -u XXXX -p XXXX --tenant XXXX 时失败。
我收到的错误信息是:
error_code":"CUSTOMER_UNAUTHORIZED","message":"Unable to grant read/list permission to Databricks service principal to KeyVault
'XXXXX': key not found: https://graph.windows.net/
当运行宁作为服务主体时,我需要为graph.windows.net添加一些其他访问令牌header吗?
您不能使用服务主体执行此操作 - 这是 Azure 方面的限制。 documentation 明确说明了这一点:
You need an Azure AD user token to create an Azure Key Vault-backed secret scope with the Databricks CLI. You cannot use an Azure Databricks personal access token or an Azure AD application token that belongs to a service principal.
P.S。自动配置工作区是一个很大的痛点,但因为它是 Azure 中的问题,你所能做的就是升级到他们的支持,也许它会被优先考虑。
P.P.S。你看过 Databricks Terraform Provider - 与 Powershell + REST 相比,它可能会让你的生活更轻松 API
我正在尝试使用在 Azure DevOps 部署期间 运行s 的 powershell 脚本在 Azure databricks 中创建一个密钥保管库支持的秘密范围。当我 运行 在本地使用我自己的凭据时它工作正常,但是当我尝试使用服务主体凭据 运行 它时出现错误。
我遇到的问题与 this previous post.
相似但不完全相同这是我的脚本:
[CmdletBinding()]
Param(
$azureADDatabricksAccessToken = $env:AZUREADDATABRICKSACCESSTOKEN,
$azureManagementAccessToken = $env:AZUREMANAGEMENTACCESSTOKEN,
$workspaceResourceId,
$subscription,
$resourceGroup,
$keyVault,
$workspaceUrl,
$scope
)
$headers = @{
"Authorization" = "Bearer $azureADDatabricksAccessToken";
"X-Databricks-Azure-SP-Management-Token" = $azureManagementAccessToken;
"X-Databricks-Azure-Workspace-Resource-Id" = $workspaceResourceId;
}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$scopes = (Invoke-RestMethod -Uri "https://$workspaceUrl/api/2.0/secrets/scopes/list" -Method Get -Headers $headers).scopes
$exists = ($scopes | Where-Object {$_.name -eq $scope}).Count -gt 0
if($exists){
Write-Host "Secret scope found";
}
else{
Write-Host "Creating new secret scope";
$body = @{
"scope" = "$scope";
"scope_backend_type" = "AZURE_KEYVAULT";
"backend_azure_keyvault" =
@{
"resource_id" = "/subscriptions/$subscription/resourceGroups/$resourceGroup/providers/Microsoft.KeyVault/vaults/$keyVault";
"dns_name" = "https://$keyVault.vault.azure.net/";
};
"initial_manage_principal" = "users";
}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-RestMethod -Uri "https://$workspaceUrl/api/2.0/secrets/scopes/create" -Method Post -Headers $headers -Body (ConvertTo-Json $body)
}
我的访问令牌是这样的:
$azureADDatabricksAccessToken = (az account get-access-token --resource 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d --resource-type aad-graph | ConvertFrom-Json).accessToken
$azureManagementAccessToken = (az account get-access-token --resource "https://management.core.windows.net/" | ConvertFrom-Json).accessToken
这在我使用 az login -t XXXX 登录时有效,但当 运行 作为服务主体使用 az login --service-principal -u XXXX -p XXXX --tenant XXXX 时失败。
我收到的错误信息是:
error_code":"CUSTOMER_UNAUTHORIZED","message":"Unable to grant read/list permission to Databricks service principal to KeyVault
'XXXXX': key not found: https://graph.windows.net/
当运行宁作为服务主体时,我需要为graph.windows.net添加一些其他访问令牌header吗?
您不能使用服务主体执行此操作 - 这是 Azure 方面的限制。 documentation 明确说明了这一点:
You need an Azure AD user token to create an Azure Key Vault-backed secret scope with the Databricks CLI. You cannot use an Azure Databricks personal access token or an Azure AD application token that belongs to a service principal.
P.S。自动配置工作区是一个很大的痛点,但因为它是 Azure 中的问题,你所能做的就是升级到他们的支持,也许它会被优先考虑。
P.P.S。你看过 Databricks Terraform Provider - 与 Powershell + REST 相比,它可能会让你的生活更轻松 API