how to override deny assignment so that I can access the databricks managed storage container?

Question

I have a Databricks workspace provisioned in my own azure subscription for my own learning purposes.

I would like to access the containers in the Databricks managed storage account via the Azure Portal UI, however when I attempt to do so:

The client 'my@email' with object id 'myobjectid' has permission to 
perform action 'Microsoft.Storage/storageAccounts/listKeys/action' 
on scope '/my/storage/account'; however, 
the access is denied because of the deny assignment 
with name 'System deny assignment created by 
Azure Databricks /my/workspace' and Id 'myid' at scope '/my/workspace'. 

How can I grant all permissions to my azure account owner (me)?

Answer 1

You can't do this on the managed resource group created by Azure Databricks even if you're owner - it's a resource managed by Databricks, and it prevents direct access to the data because it stores some system information inside storage account. If you attempt to do this, you will get an error like this:

Failed to add User as Storage Blob Data Contributor for dbstorageveur7e23e27e4c : The client '....' with object id '...' has permission to perform action 'Microsoft.Authorization/roleAssignments/write' on scope '/subscriptions/..../resourceGroups/databricks-rg-...-jm5c8b2za1oks/providers/Microsoft.Storage/storageAccounts/dbstorageveur7e23e27e4c/providers/Microsoft.Authorization/roleAssignments/f2bc46d3-4aee-4d8f-803d-3d6324b5c094'; however, the access is denied because of the deny assignment with name 'System deny assignment created by Azure Databricks /subscriptions/.../resourceGroups/.../providers/Microsoft.Databricks/workspaces/...' and Id '99598a6270644ecdacfb23af7b0df9a0' at scope '/subscriptions/....resourceGroups/databricks-rg-...-jm5c8b2za1oks'..