Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The Power BI Data Visualization World Championships is back! It's time to submit your entry. Live now!

Reply
phktu
New Member

Error running a spark notebook reading a table from warehouse

‎10-13-2025 09:44 PM

My service principal has admin access to the workspace. I used that spn to create fabric conection in airflow. Lakehouse read and write works fine, when i try to read table from warehouse. I am getting error as below

Py4JJavaError: An error occurred while calling o5533.synapsesql. : com.microsoft.spark.fabric.tds.error.FabricSparkTDSInternalAuthError: HTTP request forbidden. Request Id - 25ef7e29-b7ac-404d-add5-d1148821d70b. at com.microsoft.spark.fabric.tds.utility.FabricTDSRestfulAPIClientv2$.sendHttpRequest(FabricTDSRestfulAPIClientv2.scala:183) at com.microsoft.spark.fabric.tds.utility.FabricTDSRestfulAPIClientv2$.submitAndProcessHttpRequest(FabricTDSRestfulAPIClientv2.scala:105) at com.microsoft.spark.fabric.tds.meta.FabricTDSEndPoint$.$anonfun$discover$9(FabricTDSEndPoint.scala:326)

 

If i run the same notebook via pipeline, i am not getting any issues. Anyone else facing issue while trying to run a notebook which access warehouse tables via airflow?
my code - 

 

config_df = spark.read.synapsesql("Warehouse.dbo.configuration")
Labels:
Message 1 of 10
1,828 Views
0
1 ACCEPTED SOLUTION
tayloramy
Community Champion
Community Champion
In response to phktu

‎10-15-2025 06:48 AM

Hi @phktu

 

I wonder if it has something to do with the special characters in your service principal's name? 

I just tried running the exact grant statement that you ran and it works in my environment: 

tayloramy_0-1760536085524.png

 

 Are you able to have the service principal renamed to remove special characters and spaces? 

 

If you found this helpful, consider giving some Kudos. If I answered your question or solved your problem, mark this post as the solution.

If you found this helpful, consider giving some Kudos. If I answered your question or solved your problem, mark this post as the solution.

View solution in original post

Message 7 of 10
1,721 Views
0
9 REPLIES 9
v-nmadadi-msft
Community Support
Community Support

‎10-21-2025 12:25 AM

Hi @phktu 

May I check if this issue has been resolved? If not, Please feel free to contact us if you have any further questions.


Thank you

Message 10 of 10
1,489 Views
0
phktu
New Member

‎10-14-2025 02:40 AM

open

Message 9 of 10
1,790 Views
0
tayloramy
Community Champion
Community Champion

‎10-13-2025 09:58 PM

Hi @phktu,

 

That FabricSparkTDSInternalAuthError: HTTP request forbidden means your notebook’s identity can reach the Lakehouse (OneLake/ABFS) but doesn’t have permission to the Warehouse SQL engine that sits behind spark.read.synapsesql("Warehouse.dbo.configuration"). Pipelines work because they typically run under a different identity that does have the required Warehouse SQL permissions.

 

  1. Grant the service principal access at the Warehouse (item) level
    Give it at least “Read all data using SQL” on the Warehouse (or higher if needed). This is the Warehouse’s SQL-engine permission, separate from Lakehouse/OneLake permissions. See Microsoft’s connector permissions note here and a concise overview here.
  2. Create a database user for the SPN and add it to roles (object-level)
    -- Read tables
ALTER ROLE db_datareader ADD MEMBER [<your-spn-app-id-or-name>];

-- Optional: allow INSERT/UPDATE/DELETE
ALTER ROLE db_datawriter ADD MEMBER [<your-spn-app-id-or-name>];
    The connector requires item-level + object-level permissions to read tables. Microsoft documents this requirement here. Using a service principal with Warehouse is supported and documented here.
  3. Confirm tenant setting for service principals
    In the Fabric Admin portal, ensure service principals are allowed to use Fabric (scope to your SPN’s security group if your org restricts this).

Once those are in place, your line should work:

config_df = spark.read.synapsesql("Warehouse.dbo.configuration")

why it happens

  • Lakehouse vs Warehouse permissions: Lakehouse operations ride on OneLake permissions you already granted; the Warehouse connector (synapsesql) calls the SQL engine (TDS endpoint) which also needs SQL-style permissions. Without them, you get an HTTP 403/forbidden from the connector. See the Fabric Spark-to-Warehouse connector doc here.
  • Pipeline works, Airflow doesn’t: Your Pipeline likely executes under an identity that already has Warehouse SQL access (for example, the user who created it or a configured app). Airflow runs with your service principal, which currently lacks Warehouse SQL permissions. Similar cases have been reported with 403/forbidden until the SPN was granted SQL engine access (community examples: example, and a recent thread here).
  • Object-level matters: Even after giving “Read all data using SQL” at the item, you still need a database principal mapped and placed in db_datareader (and db_datawriter if you’ll write). A quick pattern is shown above and mirrors guidance such as this.

If you found this helpful, consider giving some Kudos. If I answered your question or solved your problem, mark this post as the solution.

 

If you found this helpful, consider giving some Kudos. If I answered your question or solved your problem, mark this post as the solution.
Message 2 of 10
1,815 Views
0
phktu
New Member
In response to tayloramy

‎10-14-2025 03:00 AM

I can't create a user in fabric warehouse

CREATE USER [Alteryx to Azure Lakehouse/Data Warehouse (Service Principal)] FROM EXTERNAL PROVIDER;
I am getting the below error

Msg 22424, Level 16, State 0, Line 1
CREATE USER is not a supported statement type.
Message 3 of 10
1,787 Views
0
v-nmadadi-msft
Community Support
Community Support
In response to phktu

‎10-14-2025 08:27 AM

Hi @phktu ,
Thanks for reaching out to the Microsoft fabric community forum.

Once warehouses are provided control plane permissions to an SPN through workspace roles or Item permissions, administrators can use T-SQL commands like GRANT to assign specific data plane permissions to service principals, to control precisely which metadata/data and operations an SPN has access to. This is recommended to follow the principle of least privilege.

GRANT SELECT ON <table name> TO <service principal name>;

 

I hope this information helps. Please do let us know if you have any further queries.
Thank you




Message 5 of 10
1,754 Views
0
phktu
New Member
In response to v-nmadadi-msft

‎10-14-2025 10:52 PM

SPN has admin access to workspace, I tried to run the script you provided, getting the below error

phktu_0-1760507490364.png

 

Message 6 of 10
1,735 Views
0
tayloramy
Community Champion
Community Champion
In response to phktu

‎10-15-2025 06:48 AM

Hi @phktu

 

I wonder if it has something to do with the special characters in your service principal's name? 

I just tried running the exact grant statement that you ran and it works in my environment: 

tayloramy_0-1760536085524.png

 

 Are you able to have the service principal renamed to remove special characters and spaces? 

 

If you found this helpful, consider giving some Kudos. If I answered your question or solved your problem, mark this post as the solution.

If you found this helpful, consider giving some Kudos. If I answered your question or solved your problem, mark this post as the solution.
Message 7 of 10
1,722 Views
0
v-nmadadi-msft
Community Support
Community Support
In response to tayloramy

‎10-17-2025 02:41 AM

Hi @phktu 

I wanted to check if you had the opportunity to review the information provided by @tayloramy .Please feel free to contact us if you have any further questions.


Thank you.

Message 8 of 10
1,543 Views
0
tayloramy
Community Champion
Community Champion
In response to phktu

‎10-14-2025 06:33 AM

Hi @phktu

 

My mistake, I was misreading the documentation. 

 

  • CREATE USER cannot be explicitly executed currently. When GRANT or DENY is executed, the user is created automatically. The user will not be able to connect until sufficient workspace level rights are given.

SQL Granular Permissions - Microsoft Fabric | Microsoft Learn

 

Just execute the grant statements and the user will be created automatically. 

If you found this helpful, consider giving some Kudos. If I answered your question or solved your problem, mark this post as the solution.

 

If you found this helpful, consider giving some Kudos. If I answered your question or solved your problem, mark this post as the solution.
Message 4 of 10
1,764 Views
0

Helpful resources

Announcements
December Fabric Update Carousel

Fabric Monthly Update - December 2025

Check out the December 2025 Fabric Holiday Recap!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All
Top Kudoed Authors
View All