Hello Dragos Ionita,
Welcome to the Microsoft Q&A and thank you for posting your questions here.
I understand that you are having error when using ODBC driver with Workload Identity to connect to Azure Databricks Workspace from an AKS Pod deployment.
The error shows that you can't get AAD token for managed identity: invalid_request: Identity not found`) typically arises when the Azure Managed Identity cannot be authenticated in the context of your Azure Kubernetes Service (AKS) setup, particularly when using Workload Identity.
- One way to start troubleshooting is by isolation, isolate the issue to confirm that the managed identity is accessible and that tokens can be issued for it from within the AKS pod by using the
az account get-access-token
command within the AKS pod to get an access token for the managed identity. If this command fails, the issue is likely with the identity's assignment or permissions. Then, check the service account and pod identity logs for any federated identity issues, especially around theIdentity not found
error - https://video2.skills-academy.com/en-us/azure/aks/troubleshoot-managed-identity - With all you've tried, if the federated credential on the managed identity includes the correct audience (typically the AKS OIDC issuer URL) and subject (which should match the Kubernetes service account you created for the Azure Function in the AKS namespace), and confirm that the Kubernetes service account is annotated correctly with the managed identity client ID such as:
metadata: annotations: azure.workload.identity/client-id: "<your-managed-identity-client-id>"
- Your DSN-less connection string is critical. Double-check the format and fields you’re passing based on the Databricks documentation. This is a generic format that should work:
var connString = "Driver={Simba Spark ODBC Driver};Server=<databricks-server-url>;HTTPPath=<http-path>;Auth_Client_ID=<client-id>;Auth_Resource=<resource-id>;Auth_Access_Token=<access-token>";
- Also, the managed identity must have adequate permissions in Databricks and Azure to access resources such as Contributor or Reader roles in the Databricks workspace and Reader role or any necessary roles in the resource group that houses your Databricks instance - https://video2.skills-academy.com/en-us/azure/databricks/administration-guide/users-groups/users
NOTE:
- Some users have reported challenges with the Databricks ODBC driver and managed identities in containerized environments. While there isn’t official documentation confirming compatibility issues, consider testing a similar setup without Workload Identity as a workaround (such as directly in Azure Functions or using a token-based connection) to see if managed identity access is successful outside AKS.
- Try using Azure Service Principal if the issue persists, consider switching temporarily to an Azure Service Principal for authentication. This can help rule out potential limitations with the managed identity + workload identity configuration in AKS.
- If these troubleshooting steps still don’t resolve the issue, this may indeed indicate a limitation with using managed identity + workload identity in AKS specifically with the Databricks ODBC driver. Then, contact Azure Support via your Azure Portal.
I hope this is helpful! Do not hesitate to let me know if you have any other questions.
Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.