Databricks OAuth token federation enables you to securely access Databricks APIs using tokens from your identity provider (IdP). To enable OAuth token federation, you must configure a federation policy, either as Databricks account-wide or for workloads.
This article describes how to create and configure an OAuth token federation policy.
note
You cannot create a federation policy using the Databricks CLI in the Databricks workspace web terminal.
Account-wide token federationâAccount admins can configure OAuth token federation in the Databricks account using an account federation policy. An account federation policy enables all users and service principals in your Databricks account to access Databricks APIs using tokens from your identity provider. An account federation policy specifies:
For example, given the following account federation policy:
issuer: "https://idp.mycompany.com/oidc"
audiences: ["databricks"]
subject_claim: "sub"
This JWT body can be used to authenticate to Databricks as username@mycompany.com:
JSON
{
"iss": "https://idp.mycompany.com/oidc",
"aud": "databricks",
"sub": "username@mycompany.com"
}
To configure an account federation policy, you must specify:
The required token issuer, specified in the iss claim of your tokens. The issuer is an HTTPS URL that identifies your identity provider.
The allowed token audiences, specified in the aud claim of your tokens. This identifier represents the recipient of the token. As long as the audience in the token matches at least one audience in the policy, the token is considered a match. If unspecified, the default value is your Databricks account ID.
The subject claim. This indicates which token claim contains the Databricks username of the user the token was issued for. If unspecified, the default value is sub.
Optionally, the public keys (or the URL of the public keys) used to validate the signature of your tokens, in JSON Web Key Sets (JWKS) format. If unspecified (recommended), Databricks automatically fetches the public keys from your issuer's well known endpoint. Databricks strongly recommends relying on your issuer's well known endpoint for discovering public keys.
note
If you do not specify a JWKS or a jwks_uri in your federation policy, your identity provider must serve OpenID Provider Metadata at {issuer-url}/.well-known/openid-configuration. The OpenID Provider Metadata must include a jwks_uri that specifies the location of the public keys used to verify token signatures.
Account admins can configure an account federation policy using the Databricks CLI (version 0.239.0 and above) or the Databricks API. You can specify up to 20 account federation policies in your Databricks account.
Install or update to the newest version of the Databricks CLI.
As an account admin, authenticate to your Databricks account using the CLI. Specify the ACCOUNT_CONSOLE_URL and your Databricks ACCOUNT_ID.
Bash
databricks auth login --host ${ACCOUNT_CONSOLE_URL} --account-id ${ACCOUNT_ID}
Create the account federation policy. For example:
Bash
databricks account federation-policy create --json \
'{
"oidc_policy": {
"issuer": "https://idp.mycompany.com/oidc",
"audiences": [
"databricks"
],
"subject_claim": "sub"
}
}'
The following is an example Databricks REST API call to create an account federation policy:
Bash
curl --request POST \
--header "Authorization: Bearer $TOKEN" \
"https://accounts.cloud.databricks.com/api/2.0/accounts/${ACCOUNT_ID}/federationPolicies" \
--data '{
"oidc_policy": {
"issuer": "https://idp.mycompany.com/oidc",
"audiences": [
"databricks"
],
"subject_claim": "sub"
}
}'
The following table provides example account federation policies and the matching JWT body.
Workload identity federationâWorkload identity federation allows your automated workloads running outside of Databricks to access Databricks APIs without the need for Databricks secrets. Account admins can configure workload identity federation using a service principal federation policy.
A service principal federation policy is associated with a service principal in your Databricks account, and specifies:
For example, given the following service principal federation policy for a Github Actions workload:
issuer: "https://token.actions.githubusercontent.com"
audiences: ["https://github.com/my-github-org"]
subject: "repo:my-github-org/my-repo:environment:prod"
This JWT body can be used to authenticate to Databricks:
JSON
{
"iss": "https://token.actions.githubusercontent.com",
"aud": "https://github.com/my-github-org",
"sub": "repo:my-github-org/my-repo:environment:prod"
}
To configure a service principal federation policy, you must specify:
The required token issuer, specified in the iss claim of workload identity tokens. The issuer is an HTTPS URL that identifies the workload identity provider.
The required token subject, specified in the sub claim of workload identity tokens. The subject uniquely identifies the workload in the workload runtime environment.
The allowed token audiences, specified in the aud claim of workload identity tokens. The audience represents the recipient of the token. As long as the audience in the token matches at least one audience in the policy, the token is considered a match. If unspecified, the default value is your Databricks account ID.
Optionally, the public keys (or the URL of the public keys) used to validate the signature of the workload identity tokens, in JSON Web Key Sets (JWKS) format. If unspecified (recommended), Databricks automatically fetches the public keys from the issuer's well known endpoint. Databricks strongly recommends relying on the issuer's well known endpoint for discovering public keys.
note
If you do not specify a JWKS or a jwks_uri in your federation policy, your identity provider must serve OpenID Provider Metadata at {issuer-url}/.well-known/openid-configuration. The OpenID Provider Metadata must include a jwks_uri that specifies the location of the public keys used to verify token signatures.
Optionally, the subject claim. This indicates which token claim contains the workload identity (or subject) of the token. If it is unspecified, the default value is sub. Databricks strongly recommends using the default sub claim for workload identity federation. A claim other than sub should only be used in cases where the sub claim is not an appropriate or stable subject identifier, which is uncommon. See Example service principal federation policies below for details.
Account admins can configure a service principal federation policy using the Databricks CLI (version 0.239.0 and above) or the Databricks API. You can create up to 20 service principal federation policies per Databricks service principal.
Install or update to the newest version of the Databricks CLI.
As an account admin, authenticate to your Databricks account using the CLI. Specify the ACCOUNT_CONSOLE_URL and your Databricks ACCOUNT_ID:
Bash
databricks auth login --host ${ACCOUNT_CONSOLE_URL} --account-id ${ACCOUNT_ID}
Get the numeric ID of the service principal that will have the federation policy applied to it. (For example, 3659993829438643.)
If you know the service principal application ID (typically a GUID value, such as bc3cfe6c-469e-4130-b425-5384c4aa30bb) in advance, you can then determine the service principal numeric ID using the Databricks CLI:
Bash
databricks account service-principals list --filter 'applicationId eq "<service-principal-application-id>"'
Create the service principal federation policy. Here is an example of creating a federation policy for a GitHub Action:
Bash
databricks account service-principal-federation-policy create ${SERVICE_PRINCIPAL_NUMERIC_ID} --json \
'{
"oidc_policy": {
"issuer": "https://token.actions.githubusercontent.com",
"audiences": [
"https://github.com/my-github-org"
],
"subject": "repo:my-github-org/my-repo:environment:prod"
}
}'
Get the numeric ID of the service principal that will have the federation policy applied to it, for example, 3659993829438643. If you know the service principal application ID (typically a GUID value, such as bc3cfe6c-469e-4130-b425-5384c4aa30bb) in advance, you can then determine the service principal numeric ID using the Databricks service principal REST API:
Bash
curl --get \
--header "Authorization: Bearer $TOKEN" \
"https://accounts.cloud.databricks.com/api/2.0/accounts/${ACCOUNT_ID}/scim/v2/ServicePrincipals" \
--data-urlencode 'filter=applicationId eq "<service-principal-application-id>"'
The service principal numeric ID is returned in the id field of the response.
Create the service principal federation policy. Here is an example of creating a federation policy for a GitHub Action:
Bash
curl --request POST \
--header "Authorization: Bearer $TOKEN" \
"https://accounts.cloud.databricks.com/api/2.0/accounts/${ACCOUNT_ID}/servicePrincipals/${SERVICE_PRINCIPAL_NUMERIC_ID}/federationPolicies" \
--data '{
"oidc_policy": {
"issuer": "https://token.actions.githubusercontent.com",
"audiences": [
"https://github.com/my-github-org"
],
"subject": "repo:my-github-org/my-repo:environment:prod"
}
}'
The following table provides example service principal federation policies and the matching JWT body.
For complete configuration steps for enabling workload identity federation for some of these common identity providers, see Enable workload identity federation in CI/CD.
Next stepsâAfter you have configured a federation policy for your account:
Bearer: field of the API call to gain access and complete the call. Tokens must be valid JWTs that are signed using the RS256 or ES256 algorithms. For details about implementing the token exchange, see Use an identity provider token to authenticate Databricks REST APIs.RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4