Notebook - This request is not authorized to perform this operation. , 403

Hi ,

Able to solve the issue of reading the data from ADLS gen2 by using the native capability of synapse to create a linked server connection to the file.

This works same as the linked service from synapse pipeline. So we reuse those linked service to connection for reading the files.

When the type of LS s managed identity , we can use the below code to read the file (this can be extended for json , parquet and other formats)

%%pyspark

# Python code

spark.conf.set("spark.storage.synapse.linkedServiceName", "<lINKED SERVICE NAME>") spark.conf.set("fs.azure.account.oauth.provider.type", "com.microsoft.azure.synapse.tokenlibrary.LinkedServiceBasedTokenProvider") df = spark.read.csv('abfss://<CONTAINER>@<ACCOUNT>.dfs.core.windows.net/<DIRECTORY PATH>') df.show()

Hope this helps.

Hi  @Liliam_Leme 

I am trying to read a file in storage account from by Spark notebook.

I am able to create Linked service to the storage , read and write files using copy data , but not able to read it from spark notebook.

I gave  Synapse MSI and user group "Storage Blob Data Contributor access" on the storage

Added Synapse workspace in the firewall rule. 

Still getting the same error ""This request is not authorized to perform this operation.", 403"

I am currently having the same problem. The Storage Account that it is trying to access was created together with Azure Synapse Analytics. I have the contributor permission for the Storage Account as well. The problem goes away when I change the firewall setting to 'All Network'. I have a private endpoint from the Storage Account set in the Managed Vnet too.

Liliam_C_Leme 

1. I don't have VNet
2. There are no firewall restrictions
3. No Synapse and storage are not in same subscription
4. Yes I can browse folder through Integration dataset created by Linked service
5. Error is intermittent not consistent
   1. In most runs I get error and in some runs it succeeds
6. I am connecting using SPN through spark conf:
   1. spark.conf.set("spark.storage.synapse.linkedServiceName", linkedServiceName)
      spark.conf.set("fs.azure.account.oauth.provider.type", "com.microsoft.azure.synapse.tokenlibrary.LinkedServiceBasedTokenProvider")

I get the same message running azcopy at the command line. I have authorized myself as owner of the container, storage account and the resource group and have logged into azcopy using the AD tenant, per instructions. It works fine when I use SAS but not with Active Directory authentication. Frankly, I don't see how it can work because the AD tenant it not tied to the container but those are the instructions.

Hi,GauravKhattar  do you have Vnet enable? is the error the same with or without the firewall?  Is this storage account on the same subscription? Can you connect on it with the Synapse linked server? is Synapse configured to pass through the firewall ( if it is enabled)? Connect to a secure storage account from your Azure Synapse workspace - Azure Synapse Analytics | Microsoft Docs

Did you create this workspace on top of SQLDW ( former). If that is the case, can you try to add a private endpoint?

Hi Liliam_C_Leme 

I have assigned following permissions:

1. Myself and Synapse identity as Storage Blob Contributor
2. Myself as Synapse Admin
3. Added Myself and Synapse identity to ACL with Read, Write and Execute permissions on container

Still I'm getting this error