According to Snowflake Doc for Azure:
Click the Accept button. This action allows the Azure service principal created for your Snowflake account to obtain an access token on any resource inside your tenant.
A Storage Integration requires a Service Principal to access data
Do you know how the service principal creation is managed ?
Is there a different and unique Snowflake service principal per account ? the same is valid for Reader/Managed Accounts or sub Accounts ?
Thanks
Yes, the service principal is per account basis and it follows the same principal as for other Security objects in Snowflake.
Related
I need to access my Azure Storage Account from the Azure Databricks notebook.
From authentication side, all key dependant methods (SAS, key based authentication) worked but we can't expose the Access Credentials from Storage Account into the notebook.
Is there an option du Authenticate the Databricks on Storageaccount over Service Principal or Managed Identity.
As goal, the notebook in Databricks shall only use this code and use the assigned Service principal / Managed identity (developer doesn't see credentials)?
These are possible options for authentication for us:
If you want to access storage account with service principle.
Please follow these steps:
Create service principle account with azure AD app registration
Create storage account and grant service principle access to storage account.
Add application secrete to key vault.
Create key vault secrete scope with Databricks.
For more information refer this Blob by Dhyanendra Singh Rathore and SO thread.
I have an app service that needs to connect to Azure Key Vault to obtain Storage and Cosmos DB connection strings. The same application also needs to use service principal name (with client id and secret) to connect directly to a SQL PaaS instance (not via Azure Key Vault). Can I use one single service principal for both?
Can I use one single service principal for both?
Sure you can. As long as Service Principal as appropriate permissions to access both Azure Key Vault and SQL Database, it should be able to access these resources.
The key thing here is that your Service Principal must be assigned appropriate RBAC roles. For example, if you assign your Service Principal a Contributor role in an Azure Subscription, then you can manage all resources of your Azure Subscription (except role assignment) using that Service Principal.
How can you access a Storage Account blob container without using an Account Key?
I can access data in Storage Account blobs in Power BI ... but it needs the account Access Key !
Is there some way to access the data using some other authentication approach, i.e. an app registration, service principal, managed identity, whatever ?
You could use Shared Access Signature(SAS) to connect Blob Storage in Power BI. This guide will help you.
If you access blob with Azure AD, it doesn't seem to integrate with Power BI. And there is a .Net code sample about creating a block blob.
Azure AD authenticates the security principal (a user,
group, or service principal) running the application. If
authentication succeeds, Azure AD returns the access token to the
application, and the application can then use the access token to
authorize requests to Azure Blob storage or Queue storage.
For more information, the document describes the options that Azure Storage offers for authorizing access to resources.
In Azure DevOps, I have created a service connection (type: Azure Resource Manager) to be able to upload files to Azure Blob Storage.
Then I have added the Storage Blob Data Contributor role for this service principal under Access Control (IAM) in my Azure Storage account by searching for the service principal's name under Select.
I have noticed that each time I create a new DevOps pipeline that uses the (same) service connection, I need to add the Storage Blob Data Contributor role again because under Select, there are then multiple items with the same (service principal's) name. It's not clear why there are multiple items and it's also unclear which one is the newest, such that I am just adding all items as a workaround.
Is there anything that I am missing to avoid ending up with dozens of items to select when assigning roles for a new pipeline that uses the same service connection?
As design, one service connection map to one single service principal.
You issue mostly like you did not ever assign the actual service principal id to that service connection while you configure it. When the system finds there is no principal there, it will automatically create one for it in azure.
Please give the full parameters value there, including service principal id and secret, when you create the service connection.
Then you can just grant the permission to the currently used service principal.
I'm trying to create linked service to azure data lake analytics and it is showing the error like this
[{"code":9512,"message":"Failed to connect to ADLA account 'miniprojectanalytics'
with error 'The client '8899dd6a-45b1-4955-a3b9-7b3a95dd6dfa' with object id
'8899dd6a-45b1-4955-a3b9-7b3a95dd6dfa' does not have authorization to perform action
'Microsoft.Authorization/permissions/read' over scope '
subscriptions/8e9519a3-7b76-40fe-9b64-752ed2d0d4dc/resourceGroups/harigrp/providers/Microsoft.DataLakeAnalytics/accounts/miniprojectanalytics/providers/Microsoft.Authorization'.
Trace: 0941cde4-bff5-42b4-8186-1bd08f04944b Time: 2018-10-05T00:27:23.0661884-07:00'."}]
could anyone please assist me how to resolve this
I believe you need to give your service account access on the ADLA via the Add User Wizard.
From here
Service principal authentication
The Azure Data Lake Analytics linked service requires a service principal authentication to connect to the Azure Data Lake Analytics service. To use service principal authentication, register an application entity in Azure Active Directory (Azure AD) and grant it the access to both the Data Lake Analytics and the Data Lake Store it uses. For detailed steps, see Service-to-service authentication. Make note of the following values, which you use to define the linked service:
Application ID
Application key
Tenant ID
Grant service principal permission to your Azure Data Lake Anatlyics using the Add User Wizard.