question

RyanAbbey-0701 avatar image
0 Votes"
RyanAbbey-0701 asked SamaraSoucy-MSFT commented

Permissions required for REST API to run Synapse Job Definition Execute

We are trying to execute a Synapse spark job definition from a REST API call (via Logic Apps using a Managed Identity) but receiving the error

The bearer token specified with the request is not a valid one. Please specify a valid bearer token.

However, if we run the "Get Job Definitions" or "Get Job Definitions by Workspace" (two GET operations), it works fine. This suggests insufficient permissions for the POST/execute option but unable to find any details to what we should set, anyone know what to try?



azure-synapse-analyticsazure-logic-apps
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

OK, discovered it is kicking off the job definition but that itself is failing on a permission

Exception in thread "main" Operation failed: "This request is not authorized to perform this operation using this permission.", 403, HEAD, https://<xx>.dfs.core.windows.net/synapse/synapse/workspaces/<xx>/batchjobs/Spark%20job%20definition%201/x.py?upn=false&action=getStatus&timeout=90
at org.apache.hadoop.fs.azurebfs.services.AbfsRestOperation.execute(AbfsRestOperation.java:166)
at org.apache.hadoop.fs.azurebfs.services.AbfsClient.getPathStatus(AbfsClient.java:414)
at org.apache.hadoop.fs.azurebfs.AzureBlobFileSystemStore.getFileStatus(AzureBlobFileSystemStore.java:551)
at org.apache.hadoop.fs.azurebfs.AzureBlobFileSystem.getFileStatus(AzureBlobFileSystem.java:430)
...


And discovered from there it needed Contributor to storage (didn't seem to make a difference as Data Contributor)

But that leaves an additional issue that while the job appears to run, it still generates an error in Logic Apps

The bearer token specified with the request is not a valid one. Please specify a valid bearer token.

But this time with no errors showing in the Spark logs




0 Votes 0 ·

1 Answer

SamaraSoucy-MSFT avatar image
0 Votes"
SamaraSoucy-MSFT answered SamaraSoucy-MSFT commented

The required permission is workspaces/integrationRuntimes/useCompute/action (doc). The minimum role that allows this is 'Synapse Compute Operator'. 'Synapse Contributor' and 'Synapse Administrator' also work, but allows additional actions that you may not want your MSI to have.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks, our process is initiated even though we don't have one of those roles (We had Data Factory Contributor and Contributor to get it working) but will try those to see if it at least takes the error away

0 Votes 0 ·

I had a similar experience where I could get the job to start but got the error back. 'Synapse Compute Operator' plus 'Storage Blob Contributor: on the storage account allowed the job to start and did not return an error in my tests. If you could let me know if this resolves the error I'd appreciate it.

0 Votes 0 ·