Share via

How to allow Databricks to only read from one storage account and read/write from a different storage account?

Brian Dietrich 0 Reputation points
2025-02-27T22:29:11.89+00:00

RBAC setup:

Under the same subscription I have resource group 1 and resource group 2. There is a Databricks instance created in resource group 1 in which a service principal was created. Within the resource group 1 storage account the service principal is granted Storage Blob Data Contributor, while in the storage account of resource group 2 the service principal is only granted Storage Blob Data Reader. Containers from RG1 and RG2 are mounted to Databricks using the SP credentials and OAuth auth type via dbutils.fs.mount.

 

Issue:

User A has Contributor access in RG1 storage account and no access in RG2 storage account. User A can read/write data from the mount point of RG1 as expected. However, User A can also read/write from the mount point of RG2 despite the lack of permissions. What are the ways to restrict access for RG2 to read only.

Azure Databricks
Azure Databricks
An Apache Spark-based analytics platform optimized for Azure.
2,345 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. J N S S Kasyap 270 Reputation points Microsoft Vendor
    2025-02-28T03:46:02.0966667+00:00

    Hi @Brian Dietrich

    Thank you for posting your query!

    The issue arises because when you mount Azure Data Lake Storage (ADLS) containers in Databricks using a Service Principal (SP), all users inherit the permissions of that Service Principal for the mounted storage. In your case, the Service Principal has Storage Blob Data Reader permissions on the storage account in Resource Group 2 (RG2).
    However, Databricks mounts do not enforce read-only access; once mounted, users can perform both read and write operations, regardless of the Service Principal's permissions.

    To restrict access to RG2 as read-only,consider below options:

    Instead of mounting the storage, use abfss:// paths instead of mounts to enforce Azure RBAC permissions, ensuring users have only their assigned access.

    Unity Catalog with external locations to grant read/write access for RG1 and read-only access for RG2, avoiding mount-based access issues. Unity Catalog is the best approach.

    Configure storage-level ACLs to enforce read-only access, preventing unauthorized modifications even if the storage is mounted.

    Hope this helps. Do let us know if you any further queries.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.