I am able to confirm that Azure SQL Data Warehouse’s Polybase capability does indeed work in being able to reference data in ADLS Gen2 using the system-assigned MSI when that MSI only has ACL access and not RBAC access.
There are 2 things to consider when applying ACLs in ADLS Gen2:
1. Irrespective on where the MSI is granted read ‘R’ and/or write ‘W’ access, the principal MUST have execute ‘X’ permission from the root directory all the way down to the data directory. This allows the MSI to traverse the directory structure and will fail without this permission.
2. The ‘Principal ID’ of the MSI must be the guid value specified in the ACL. This can be obtained using the Powershell ‘Get-AzSqlServer’ cmdlet.
Correct - we kept the title for consistency with how it was billed at Build; unfortunately, we were pressed for time and didn't get through all of Ralph's content. We're going to schedule him for an in-studio episode soon.
@Bazul - With an ASE there's no public endpoint. When using the hosted agent for Azure Pipelines, they're not placed in a VNet, so they can't communicate with a node inside ASE ("myappservice.scm.na.cloud.mycompany" won't resolve in the public internet).
Azure DevOps Portal can see the ASE only because Azure DevOps is communicating with the Azure Resource Manager APIs, which are confirming that the resource exists and are giving the endpoint. But the Azure Resource Manager APIs cannot allow deployments, which require a communication with Kudu running on the ASE nodes.
Hi Joel - I'm sorry you're not happy with the informality of Azure Friday. The format of the show is an engineer to engineer conversation, so we don't script the show and guest performance varies as people do. If you're having difficulty with sound level (not able to repro here) you can turn on captions, which also make the content accessible for many languages.