%3CLINGO-SUB%20id%3D%22lingo-sub-690641%22%20slang%3D%22en-US%22%3EMSG%2010519%20When%20Attempting%20to%20Access%20External%20Table%20via%20Polybase%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-690641%22%20slang%3D%22en-US%22%3E%3CP%3EA%20common%20problem%20that%20people%20face%20while%20setting%20up%20their%20External%20Tables%20with%20polybase%20is%20running%20into%20the%20exception%20below.%20%22This%20Request%20is%20not%20authorized%20to%20perform%20this%20action%22.%20The%20error%20occurs%20commonly%20when%20enabling%20Firewall%20restrictions%20on%20the%20Storage%20Account%20or%20you%20have%20configured%20your%20external%20data%20source%20incorrectly%20and%20the%20credentials%20provided%20does%20not%20have%20access%20to%20the%20storage%20endpoint.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EException%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EMsg%20105019%2C%20Level%2016%2C%20State%201%2C%20Line%2057%3C%2FP%3E%0A%3CP%3EExternal%20file%20access%20failed%20due%20to%20internal%20error%3A%20'Error%20occurred%20while%20accessing%20HDFS%3A%20Java%20exception%20raised%20on%20call%20to%20HdfsBridge_IsDirExist.%20Java%20exception%20message%3A%3C%2FP%3E%0A%3CP%3EHdfsBridge%3A%3AisDirExist%20-%20Unexpected%20error%20encountered%20checking%20whether%20directory%20exists%20or%20not%3A%20StorageException%3A%20This%20request%20is%20not%20authorized%20to%20perform%20this%20operation.'%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHistorically%20we%20did%20not%20allow%20you%20to%20connect%20to%20a%20secured%20storage%20account%20via%20Polybase%20the%20connection%20was%20not%20possible%20with%20the%20use%20of%20the%20WASBS%20driver%20and%20the%20Storage%20Key%20as%20per%20the%20following%20example%20%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23339966%22%3E--%20Create%20a%20database%20master%20key%20if%20one%20does%20not%20already%20exist%2C%20using%20your%20own%20password.%20This%20key%20is%20used%20to%20encrypt%20the%20credential%20secret%20in%20next%20step.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%23339966%22%3ECREATE%20MASTER%20KEY%20ENCRYPTION%20BY%20PASSWORD%20%3D%20'S0me!nfo'%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%23339966%22%3E%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23339966%22%3E--%20Create%20a%20database%20scoped%20credential%20with%20Azure%20storage%20account%20key%20as%20the%20secret.%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%23339966%22%3ECREATE%20DATABASE%20SCOPED%20CREDENTIAL%20AzureStorageCredential%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%23339966%22%3EWITH%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%23339966%22%3EIDENTITY%20%3D%20'%3CMY_ACCOUNT%3E'%3C%2FMY_ACCOUNT%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%23339966%22%3E%2C%20SECRET%20%3D%20'%3CAZURE_STORAGE_ACCOUNT_KEY%3E'%3C%2FAZURE_STORAGE_ACCOUNT_KEY%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%23339966%22%3E%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23339966%22%3E--%20Create%20an%20external%20data%20source%20with%20CREDENTIAL%20option.%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%23339966%22%3ECREATE%20EXTERNAL%20DATA%20SOURCE%20MyAzureStorage%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%23339966%22%3EWITH%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%23339966%22%3E(%20LOCATION%20%3D%20'wasbs%3A%2F%2Fdaily%40logs.blob.core.windows.net%2F'%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%23339966%22%3E%2C%20CREDENTIAL%20%3D%20AzureStorageCredential%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%23339966%22%3E%2C%20TYPE%20%3D%20HADOOP%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%23339966%22%3E)%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%23339966%22%3E%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESolution%20%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EIn%20order%20to%20connect%20to%20a%20Secured%20Storage%20account%20with%20Polybase%20one%20has%20to%20change%20to%20the%20newly%20created%20ABFSS%20driver%20and%20Managed%20Service%20Identity%20Credential%20which%20connects%20to%20a%20new%20endpoint.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENOTE%20%3A%20Only%20Gen%202%20Storage%20Accounts%20support%20this%20configuration%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EFirst%20create%20the%20Managed%20Service%20Identity%20for%20the%20Logical%20Server%20hosting%20the%20Azure%20DW%20within%20Azure%20Powershell%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%233366FF%22%3EConnect-AzAccount%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%233366FF%22%3ESelect-AzSubscription%20-SubscriptionId%20your-subscriptionId%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%233366FF%22%3ESet-AzSqlServer%20-ResourceGroupName%20your-database-server-resourceGroup%20-ServerName%20your-database-servername%20-AssignIdentity%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3ENext%20grant%20the%20relevant%20permissions%20to%20the%26nbsp%3B%20Managed%20Service%20Identity%20on%20the%20storage%20account%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EUnder%20your%20storage%20account%2C%20navigate%20to%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EAccess%20Control%20(IAM)%3C%2FSTRONG%3E%3CSPAN%3E%2C%20and%20click%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EAdd%20role%20assignment%3C%2FSTRONG%3E%3CSPAN%3E.%20Assign%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EStorage%20Blob%20Data%20Contributor%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3BRBAC%20role%20to%20your%20SQL%20Database%20server.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3ECreate%20the%20new%20Credential%20in%20SQL%20to%20make%20use%20of%20the%20Manged%20Service%20Identity%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%233366FF%22%3ECREATE%20DATABASE%20SCOPED%20CREDENTIAL%20msi_cred%20WITH%20IDENTITY%20%3D%20'Managed%20Service%20Identity'%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EExternal%20Data%20Source%20should%20now%20be%20created%20with%20newly%20created%20credentials%20%2C%20driver%20and%20endpoint%20as%20per%20highlighted%20example%20below%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%233366FF%22%3ECREATE%20EXTERNAL%20DATA%20SOURCE%20ext_datasource_with_abfss%20WITH%20(TYPE%20%3D%20hadoop%2C%20LOCATION%20%3D%20'%3CSTRONG%3Eabfss%3C%2FSTRONG%3E%3A%2F%2Fmyfile%40mystorageaccount.%3CSTRONG%3Edfs.core.windows.net%3C%2FSTRONG%3E'%2C%20CREDENTIAL%20%3D%20%3CSTRONG%3Emsi_cred%3C%2FSTRONG%3E)%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EFor%20detailed%20instructions%20and%20information%20refer%20to%20the%20following%20documentation%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsql-database%2Fsql-database-vnet-service-endpoint-rule-overview%3Ftoc%3D%2Fazure%2Fsql-data-warehouse%2Ftoc.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsql-database%2Fsql-database-vnet-service-endpoint-rule-overview%3Ftoc%3D%2Fazure%2Fsql-data-warehouse%2Ftoc.json%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20all%20of%20the%20required%20actions%20are%20not%20completed%20you%20will%20not%20be%20able%20to%20connect%20to%20the%20secured%20storage%20account.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-690641%22%20slang%3D%22en-US%22%3E%3CP%3ESetting%20up%20External%20Objects%20with%20Polybase%20can%20lead%20to%20problems%20if%20you%20do%20not%20following%20the%20instructions%2C%20recently%20a%20more%20comment%20exception%20has%20been%20surfacing%20especially%20with%20Secured%20Storage%20follow%20this%20article%20for%20more%20information%20on%20how%20to%20overcome%20this%20common%20problem.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-690641%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESynapse%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESynapse%20SQL%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESynapse%20Support%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

A common problem that people face while setting up their External Tables with polybase is running into the exception below. "This Request is not authorized to perform this action". The error occurs commonly when enabling Firewall restrictions on the Storage Account or you have configured your external data source incorrectly and the credentials provided does not have access to the storage endpoint. 

 

Exception:

Msg 105019, Level 16, State 1, Line 57

External file access failed due to internal error: 'Error occurred while accessing HDFS: Java exception raised on call to HdfsBridge_IsDirExist. Java exception message:

HdfsBridge::isDirExist - Unexpected error encountered checking whether directory exists or not: StorageException: This request is not authorized to perform this operation.'

 

Historically we did not allow you to connect to a secured storage account via Polybase the connection was not possible with the use of the WASBS driver and the Storage Key as per the following example :

 

-- Create a database master key if one does not already exist, using your own password. This key is used to encrypt the credential secret in next step.


CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'S0me!nfo'
;

-- Create a database scoped credential with Azure storage account key as the secret.
CREATE DATABASE SCOPED CREDENTIAL AzureStorageCredential
WITH
IDENTITY = '<my_account>'
, SECRET = '<azure_storage_account_key>'
;

-- Create an external data source with CREDENTIAL option.
CREATE EXTERNAL DATA SOURCE MyAzureStorage
WITH
( LOCATION = 'wasbs://daily@logs.blob.core.windows.net/'
, CREDENTIAL = AzureStorageCredential
, TYPE = HADOOP
)
;

 

Solution :

In order to connect to a Secured Storage account with Polybase one has to change to the newly created ABFSS driver and Managed Service Identity Credential which connects to a new endpoint.

 

NOTE : Only Gen 2 Storage Accounts support this configuration

 

First create the Managed Service Identity for the Logical Server hosting the Azure DW within Azure Powershell 

 

Connect-AzAccount
Select-AzSubscription -SubscriptionId your-subscriptionId
Set-AzSqlServer -ResourceGroupName your-database-server-resourceGroup -ServerName your-database-servername -AssignIdentity

 

Next grant the relevant permissions to the  Managed Service Identity on the storage account 

 

Under your storage account, navigate to Access Control (IAM), and click Add role assignment. Assign Storage Blob Data Contributor RBAC role to your SQL Database server.

 

Create the new Credential in SQL to make use of the Manged Service Identity

 

CREATE DATABASE SCOPED CREDENTIAL msi_cred WITH IDENTITY = 'Managed Service Identity';

 

External Data Source should now be created with newly created credentials , driver and endpoint as per highlighted example below 

 

CREATE EXTERNAL DATA SOURCE ext_datasource_with_abfss WITH (TYPE = hadoop, LOCATION = 'abfss://myfile@mystorageaccount.dfs.core.windows.net', CREDENTIAL = msi_cred);

 

For detailed instructions and information refer to the following documentation 

 

https://docs.microsoft.com/en-us/azure/sql-database/sql-database-vnet-service-endpoint-rule-overview...

 

If all of the required actions are not completed you will not be able to connect to the secured storage account.