Databricks CI/CD, Continous Deployment : PowerBI Semantic Model, Databricks credentials update

Most of the modern data tools are able to provide support for CI/CD for your implemented solutions. PowerBI somehow was lacking lot of functionality in this regard, Recently lot of development happened with the Fabric integration. There ave been endless options with different tools and libraries formerly, XMLA endpoints, different opensource editors like tabular editor and tools aiming for doing the tasks around PBI deployment. In a future post I will summarize what other steps may would be neeeded, This time I am focusing on a real painpoint which was to update the PBI Service to use a Service Principal to access Databricks and refresh Semantic Models.

Take a first step to outline the problem. After a successful publishing of a semantic model, either the data content is deployed togeter with the model (depending on the format) or somehow the data need to be updated from the sources. To query the sources there have not been too many ways around either to authenticate a connection on the PowerBI User interface manually or hardcode in some form the credentials into the Semantic Model itself for deployment. For automated deployment and source control both are not really an applicable way.

The solution is to use the REST API. One difficulty here, that there is a limited information how to form the requests to update semantic models, as well how to reach the datasource representation. In Power BI Service, a Datasource is the connection link between your report and the actual place where your raw data lives. It is not the data itself, but rather the "connection string" and credentials Power BI uses to fetch that data. Basicly when on the UI you edit the properties of the Semantic Model in the fileds cloud connections and data source login information you edit this entity.

The endpoint to user to perform the patch request is Gateways - Update Datasource - REST API (Power BI Power BI REST APIs) | Microsoft Learn :

PATCH https://api.powerbi.com/v1.0/myorg/gateways/{gatewayId}/datasources/{datasourceId}

and the patch body should look like (Powershell before json conversion):

# create HTTP request body to patch datasource credentials
              $patchBody = @{
                "credentialDetails" = @{
                  "credentials" = "{""credentialData"":[{""name"":""username"",""value"":""token""},{""name"":""password"",""value"":""$(dataBricksJobWorkspacePersonalAccessToken)""}]}"
                  "credentialType" = "Basic"
                  "encryptedConnection" =  "Encrypted"
                  "encryptionAlgorithm" = "None"
                  "privacyLevel" = "Organizational"
                }
              } 

The username should be token, the $(dataBricksJobWorkspacePersonalAccessToken) is a PAT token, probably works also with Service Principal secrets. No other authenticaiton method is supported based on the documentation, with this PATCH api endpoint.

The gatewayid exists (implicitly) for private cloud connections as well (even if there is no on-prem connection defined). You can query it using the REST API connecting to the semantic model endpoint, or using any tool for interacting with the api, like python and powershell libraries, which I will describe in a future post.