How to grant Azure Synapse notebook manual run access to Azure ADSL Gen2 datalake?

Dom-Su BoChum 20 Reputation points
2024-01-17T13:43:20.78+00:00

Hello, I am experiencing an "Access unauthorized on the provided ADLS Gen2 account." error when I try to run a notebook manually from Azure Synapse workspace. However, the same notebook runs successfully when executed from a Synapse pipeline. I have set up firewall rules to grant access to the Azure ADSL Gen2 datalake, including our developers networks and the relevant Microsoft.Synapse/workspaces resource instance. Both the user who initiates the manual run and the Synapse workspace's managed identity have the "Storage Blob Data contributor" role assigned. What can I do to resolve this issue?
Thanks!

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,871 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,575 questions
Azure Synapse Analytics
Azure Synapse Analytics
An Azure analytics service that brings together data integration, enterprise data warehousing, and big data analytics. Previously known as Azure SQL Data Warehouse.
4,621 questions
Accepted answer
  1. Smaran Thoomu 12,100 Reputation points Microsoft Vendor
    2024-06-07T08:27:02.6433333+00:00

    Hi @Dom-Su BoChum

    Thank you for letting me know. Based on your feedback information, it seems that you have already followed all the instructions and guidelines from Microsoft, but the issue still persists. If Microsoft Support has recommended using private/service endpoints to resolve the issue, then that might be the best solution for your scenario.

    Private/service endpoints allow you to access Azure Storage accounts and Azure Data Lake Storage Gen2 accounts over a private endpoint in your virtual network. This provides a secure and private connection between your virtual network and the storage account, without the need for public internet access.

    To set up a private endpoint for your Azure Data Lake Storage Gen2 account, you can follow refer the documentation:

    Once you have set up the private endpoint, you can update your firewall rules to allow traffic from the private endpoint's IP address range.

    If you have any further questions or concerns, please let me know and I'll do my best to assist you.

    Hope this helps. Do let us know if you any further queries.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Smaran Thoomu 12,100 Reputation points Microsoft Vendor
    2024-01-18T11:09:57.77+00:00

    Hi Dom-Su BoChum ,

    Welcome to Microsoft Q&A platform and thanks for posting your question here.

    Based on the "Access unauthorized" error when trying to access your ADLS Gen2 account from Synapse. This usually happens when Synapse doesn't have permission. But you checked, and Synapse has the right role ("Storage Blob Data Contributor") and the firewall isn't blocking it. So, let's try some other things to fix the issue.

    1. Check if the user has the necessary permissions to execute the notebook. You can check this by going to the notebook's "Access control (IAM)" tab in the Azure portal.
    2. Ensure that the notebook is using the correct credentials to access the ADLS Gen2 storage account. You can check this by going to the notebook's "Data sources" tab in the Azure portal.
    3. Verify that the Synapse workspace's managed identity has the necessary permissions to access the ADLS Gen2 storage account. You can check this by going to the storage account's "Access control (IAM)" tab in the Azure portal.
    4. Check if there are any custom roles assigned to the ADLS Gen2 storage account that might be restricting access. If so, ensure that the user and the Synapse workspace's managed identity have the necessary permissions to access the storage account.

    If the issue persists, you can try running the notebook with the "System-assigned managed identity" option selected in the "Compute" tab of the notebook. This will ensure that the notebook is using the Synapse workspace's managed identity to access the ADLS Gen2 storage account.

    I hope this helps you resolve the issue. Let me know if you have any further questions or concerns.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.