This request is not authorized to perform this operation using this permission.", 403, HEAD Synapse connect to adls

Daniel Woodhouse 0 Reputation points
2024-06-22T20:29:54.0233333+00:00

I am trying to select data from ADLS Gen2 storage delta table and keep receiving this error. I added the synapse service principal as storage blob data contributor and ACLs to container with no luck. Firewall is set to enable all networks as well. Please advise.

Azure Data Lake Storage
Azure Data Lake Storage
An Azure service that provides an enterprise-wide hyper-scale repository for big data analytic workloads and is integrated with Azure Blob Storage.
1,408 questions
Azure Synapse Analytics
Azure Synapse Analytics
An Azure analytics service that brings together data integration, enterprise data warehousing, and big data analytics. Previously known as Azure SQL Data Warehouse.
4,612 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Amira Bedhiafi 18,341 Reputation points
    2024-06-23T09:06:01.4266667+00:00

    Check the Synapse service principal has :

    Azure Storage Blob Data Contributor:

    1. Navigate to your ADLS Gen2 resource in the Azure portal.
    2. Go to Access Control (IAM).
    3. Check if the Synapse service principal is assigned the Storage Blob Data Contributor role.

    Azure Synapse RBAC Role:

    • Go to your Synapse workspace in the Azure portal.
    • Check if the Synapse service principal is assigned any custom or built-in roles that provide necessary access to the storage.

    https://github.com/MicrosoftDocs/azure-docs/issues/70324

    0 comments
  2. Nehruji R 4,126 Reputation points Microsoft Vendor
    2024-06-24T09:10:11.0333333+00:00

    Hello Daniel Woodhouse,

    Greetings! Welcome to Microsoft Q&A Platform.

    Synapse notebooks use Azure Active Directory (Azure AD) pass-through to access the ADLS Gen2 accounts and your account needs Storage Blob Data Contributor to access the ADLS Gen2 account (or folder). If you are running the notebook via the pipeline, the synapse workspace managed service identity needs Storage Blob Data Contributor to access the ADLS Gen2 account (or folder).

    the error message seems like there was an authentication failure when trying to access a resource.

    Please check if you provided the storage blob data contributor access

    https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/using-the-workspace-msi-to-authenticate-a-synapse-notebook-when/ba-p/2330029

    Follow the above tech community article and run the code using the service principle. You can use either managed identity or the service principal.

    ACLs are used by Azure Data Lake Storage Gen2 to provide granular control over files and directories. Make sure that the user account trying to access the data or the Synapse service principal has the necessary read, write, or execute permissions set.

    you can check the following link for more details

    https://video2.skills-academy.com/en-us/azure/storage/blobs/data-lake-storage-access-control.

    Similar thread for reference - https://video2.skills-academy.com/en-us/answers/questions/1382065/synapse-notebook-got-accessdeniedexception

    Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.

    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments