Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Databricks OAuth token federation is in Public Preview.
Databricks OAuth token federation, also known as OpenID Connect (OIDC), allows your automated workloads running outside of Databricks to securely access Databricks without the need for Databricks secrets. See Authenticate access to Azure Databricks using OAuth token federation.
To enable workload identity federation for GitHub Actions:
After you enable workload identity federation, the Databricks SDKs and the Databricks CLI automatically fetch workload identity tokens from GitHub and exchange them for Databricks OAuth tokens.
Create a federation policy
First, use the Databricks CLI to create a workload identity federation policy. For GitHub, set the following values for the policy:
issuer:https://token.actions.githubusercontent.comaudiences: the repository URL. Or you can omit this field and the Databricks account ID is used instead.subject: a concatenation of values taken from the GitHub Actions job context
Note
To ensure that your Github Actions subject is consistent, Databricks recommends specifying an environment. See Using environments for deployment and Filtering for a specific environment.
For example, given a GitHub repository named my-repo that belongs to a GitHub organization named my-org, with a Databricks service principal numeric ID of 5581763342009999, create a federation policy using the following Databricks CLI command:
databricks account service-principal-federation-policy create 5581763342009999 --json '{
"oidc_policy": {
"issuer": "https://token.actions.githubusercontent.com",
"audiences": [
"https://github.com/my-org"
],
"subject": "repo:my-github-org/my-repo:environment:prod"
}
}'
Configure the GitHub Actions YAML file
Next, configure the GitHub Actions YAML file. Set the following environment variables:
DATABRICKS_AUTH_TYPE:github-oidcDATABRICKS_HOST: your Databricks workspace URLDATABRICKS_CLIENT_ID: the service principal (application) ID
name: GitHub Actions Demo
run-name: ${{ github.actor }} is testing out GitHub Actions 🚀
on: workflow_dispatch
permissions:
id-token: write
contents: read
jobs:
my_script_using_wif:
runs-on: ubuntu-latest
environment: prod
env:
DATABRICKS_AUTH_TYPE: github-oidc
DATABRICKS_HOST: https://my-workspace.cloud.databricks.com/
DATABRICKS_CLIENT_ID: a1b2c3d4-ee42-1eet-1337-f00b44r
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install Databricks CLI
uses: databricks/setup-cli@main
- name: Run Databricks CLI commands
run: databricks current-user me