I'm trying to create linked service to azure data lake analytics and it is showing the error like this
[{"code":9512,"message":"Failed to connect to ADLA account 'miniprojectanalytics'
with error 'The client '8899dd6a-45b1-4955-a3b9-7b3a95dd6dfa' with object id
'8899dd6a-45b1-4955-a3b9-7b3a95dd6dfa' does not have authorization to perform action
'Microsoft.Authorization/permissions/read' over scope '
subscriptions/8e9519a3-7b76-40fe-9b64-752ed2d0d4dc/resourceGroups/harigrp/providers/Microsoft.DataLakeAnalytics/accounts/miniprojectanalytics/providers/Microsoft.Authorization'.
Trace: 0941cde4-bff5-42b4-8186-1bd08f04944b Time: 2018-10-05T00:27:23.0661884-07:00'."}]
could anyone please assist me how to resolve this
I believe you need to give your service account access on the ADLA via the Add User Wizard.
From here
Service principal authentication
The Azure Data Lake Analytics linked service requires a service principal authentication to connect to the Azure Data Lake Analytics service. To use service principal authentication, register an application entity in Azure Active Directory (Azure AD) and grant it the access to both the Data Lake Analytics and the Data Lake Store it uses. For detailed steps, see Service-to-service authentication. Make note of the following values, which you use to define the linked service:
Application ID
Application key
Tenant ID
Grant service principal permission to your Azure Data Lake Anatlyics using the Add User Wizard.
Related
So, I was provisioned an Azure SQL server into my subscription of Azure, and I am using Azure Data Factory. Well, starting to use it
The problem I ran into is the following.
I am able to connect
to Azure SQL Server database via
- SQL Management Studio,
- via Visual Studio Code with SQL Tools extension,
- and with Azure data studio.
I was able to create tables and stored procedures.
All this I am doing by logging in using Authentication type
"Azure Active Directory - Universal With MFA"
.. and providing my "Active Directory Admin". (The "Server Admin" does not work as I do not know what the password was when it was created and our sys admin said "it was blank" ??)
However, when I try to set up a linked service on Azure Data Factory and connect to the same SQL Server - I do not see that option (Azure Active Directory - Universal With MFA) in the drop down for Authentication type.
Those available
- SQL Authentication
- System Assigned Managed Identity
- Service Principal
- User Assigned Managed Identity
I tried them all, and I can't connect using either.
My understanding is that there is more to be done on the server management side, but I do not understand what.
You can use service principal method to create a success linked service to your SQL database using Azure active directory authentication. You need to follow the steps below:
First create an app registration in Azure active directory. Go to azure active directory and select App registrations.
Create a new app registration with certain name. As you can see in the above image, I have created it with the name for_sql_db.
Since you already have set your SQL server with Azure Active directory admin, create a user using the name of the app registration created above. Assign this user any required role. I have used the following queries in my query editor of SQL database.
CREATE USER [for_sql_db] FROM EXTERNAL PROVIDER;
ALTER ROLE [db_owner] ADD MEMBER [for_sql_db];
Once the user is created in your SQL database, go to data factory to create linked service.
Select the SQL server and database you want to create linked service to. Choose the Authentication as Service Principal.
Then you can see Tenant , Service principal ID and Service principal key. Go to the app registration you have created. Here you can see Directory tenant ID and application client ID. Give them as following:
linked service Tenant: Directory Tenant ID
Service principal ID: application client ID
For Service principal key, you need to create a secret in your app registration (for_sql_db).
After creating the client secret, copy its value and use it as Service principal key in data factory linked service.
You can see that, I have followed the above procedure and successfully created linked service to my SQL database.
According to Snowflake Doc for Azure:
Click the Accept button. This action allows the Azure service principal created for your Snowflake account to obtain an access token on any resource inside your tenant.
A Storage Integration requires a Service Principal to access data
Do you know how the service principal creation is managed ?
Is there a different and unique Snowflake service principal per account ? the same is valid for Reader/Managed Accounts or sub Accounts ?
Thanks
Yes, the service principal is per account basis and it follows the same principal as for other Security objects in Snowflake.
How can you access a Storage Account blob container without using an Account Key?
I can access data in Storage Account blobs in Power BI ... but it needs the account Access Key !
Is there some way to access the data using some other authentication approach, i.e. an app registration, service principal, managed identity, whatever ?
You could use Shared Access Signature(SAS) to connect Blob Storage in Power BI. This guide will help you.
If you access blob with Azure AD, it doesn't seem to integrate with Power BI. And there is a .Net code sample about creating a block blob.
Azure AD authenticates the security principal (a user,
group, or service principal) running the application. If
authentication succeeds, Azure AD returns the access token to the
application, and the application can then use the access token to
authorize requests to Azure Blob storage or Queue storage.
For more information, the document describes the options that Azure Storage offers for authorizing access to resources.
I have few linked services used to copy data from on premise server to Azure BLOB and then loading that data into Azure DB using ADF pipeline, these linked services are using a user account to authenticate, I want to replace this user account with a Service Principal name. Is it possible? If yes then how.
Thanks.
Yes,it is possible.I checked blob storage linked service and azure sql db linked service documents,then all support service principal authenticate ways. You could choose that way when you create linked services:
We just completed the data migration from Teradata system to Azure SQL DW.
Now we just need to provide necessary access to all supporting Teradata Users and Service accounts to Azure SQL DW. For this i have some basic query:
All the accounts/Users are of domain type,so can i use Azure Active
directory to set up those accounts and configure it to have access
Azure SQL DW. Please let me know the process.
What kind of privilege/Access is needed in Azure Portal for
creating those account within Azure Active Directory.
In Azure SQL DW how do i add Azure AD account to specific roles
that i'll be creating. How the authentication will happen here.
Let me know if the above steps is feasible. Is there any alternative approach in providing on-prem User accounts access to Azure SQL DW
Thanks
You can follow the instructions on the Use Azure Active Directory Authentication for authentication with SQL Database, Managed Instance, or SQL Data Warehouse for setting up Azure Active Directory with SQL Data Warehouse. A subscription admin can configure the permissions - see the Configure and manage Azure Active Directory authentication with SQL Database, Managed Instance, or SQL Data Warehouse.
In addition, there is a description of how to create AD users Adding AD Users and Security Groups to Azure SQL Data Warehouse. It's a simple matter of using the CREATE USER and CREATE LOGIN statements.
For users:
CREATE USER <alias#domain> FROM EXTERNAL PROVIDER WITH DEFAULT_SCHEMA = <schema>;
For security groups:
CREATE USER <Security Group Display Name> FROM EXTERNAL PROVIDER WITH DEFAULT_SCHEMA = <schema>;