[ISSUE] SCIM GET /ServicePrincipals/{id} returns 403 while filter query works #1590
Description
Description
When calling GET /api/2.0/preview/scim/v2/ServicePrincipals/{id} to
fetch a service principal by its numeric ID, the
request returns 403 Forbidden even when the caller
has workspace admin permissions. The same service
principal can be successfully retrieved using the
filter query GET /api/2.0/preview/scim/v2/ServicePrin cipals?filter=id+eq+{id}.
Reproduction
from databricks.sdk import WorkspaceClient
w = WorkspaceClient()
sp_id = 141967551206753 # Numeric SP ID from an app's service_principal_id
# This FAILS with 403 Forbidden
sp_info = w.api_client.do(
"GET", f"/api/2.0/preview/scim/v2/ServicePrincipals/{sp_id}",
headers={"Accept": "application/json",
"Content-Type": "application/json"},
)
# This WORKS
sp_list = w.api_client.do(
"GET",
f"/api/2.0/preview/scim/v2/ServicePrincipals?filter=id+eq+{sp_id}",
headers={"Accept": "application/json",
"Content-Type": "application/json"},
)
# Returns the SP correctly in sp_list["Resources"][0] Expected behavior
GET /api/2.0/preview/scim/v2/ServicePrincipals/{id}
should return the service principal details, the same
as the filter query does.
Is it a regression?
Unknown — this was tested on SDK version 0.49.0.
Other Information
- OS: Linux (Databricks Runtime)
- SDK Version: databricks-sdk==0.49.0
- Python: 3.12.3
- Context: The service principal was auto-created by
the Databricks Apps platform (w.apps.create()). The
numeric ID was obtained from the app's
service_principal_id field. The caller is a workspace
user running a notebook.
Additional context
The error response from the direct GET:
PermissionDenied: unable to parse response.
GET /api/2.0/preview/scim/v2/ServicePrincipals/1419675
51206753
< 403 Forbidden
Workaround: Use the filter query endpoint instead:
sp_list = api_request("GET", f"/api/2.0/preview/scim/v
2/ServicePrincipals?filter=id+eq+{sp_id}")
app_sp_client_id =
sp_list["Resources"][0]["applicationId"]