https://community.databricks.com/t5/administration-architecture/workload-identity-federation-policy/m-p/133276#M4118 <P>Dear all</P><P>Can I create a single workload federation policy for all devops pipelines?</P><P>Our set-up : we have code version controlled in Github repos. And, we use Azure DevOps pipelines to authenticate with Databricks via a service principal currently and deploy the databricks jobs. We have around 25 Github repos and DevOps pipelines thereby. Can I use a single subject in the below kind of policy?</P><P>&nbsp;</P><DIV>databricks account service-principal-federation-policy create 5581763342009999 --json '{</DIV><DIV>&nbsp; "oidc_policy": {</DIV><DIV><SPAN>"issuer": "<A href="https://vstoken.dev.azure.com/abcdefghi" target="_blank">https://vstoken.dev.azure.com/abcdefghi</A>",</SPAN></DIV><DIV><SPAN>"audiences": [</SPAN></DIV><DIV>&nbsp; &nbsp; &nbsp; "api://AzureADTokenExchange"</DIV><DIV><SPAN>],</SPAN></DIV><DIV><SPAN>"subject": "p://my-org/my-project/my-pipeline"</SPAN></DIV><DIV>&nbsp; }</DIV><DIV>}</DIV> Mon, 29 Sep 2025 15:39:11 GMT noorbasha534 2025-09-29T15:39:11Z https://community.databricks.com/t5/administration-architecture/workload-identity-federation-policy/m-p/133276#M4118 <P>Dear all</P><P>Can I create a single workload federation policy for all devops pipelines?</P><P>Our set-up : we have code version controlled in Github repos. And, we use Azure DevOps pipelines to authenticate with Databricks via a service principal currently and deploy the databricks jobs. We have around 25 Github repos and DevOps pipelines thereby. Can I use a single subject in the below kind of policy?</P><P>&nbsp;</P><DIV>databricks account service-principal-federation-policy create 5581763342009999 --json '{</DIV><DIV>&nbsp; "oidc_policy": {</DIV><DIV><SPAN>"issuer": "<A href="https://vstoken.dev.azure.com/abcdefghi" target="_blank">https://vstoken.dev.azure.com/abcdefghi</A>",</SPAN></DIV><DIV><SPAN>"audiences": [</SPAN></DIV><DIV>&nbsp; &nbsp; &nbsp; "api://AzureADTokenExchange"</DIV><DIV><SPAN>],</SPAN></DIV><DIV><SPAN>"subject": "p://my-org/my-project/my-pipeline"</SPAN></DIV><DIV>&nbsp; }</DIV><DIV>}</DIV> Mon, 29 Sep 2025 15:39:11 GMT https://community.databricks.com/t5/administration-architecture/workload-identity-federation-policy/m-p/133276#M4118 noorbasha534 2025-09-29T15:39:11Z https://community.databricks.com/t5/administration-architecture/workload-identity-federation-policy/m-p/133285#M4120 <P>Hi&nbsp;<a href="https://community.databricks.com/t5/user/viewprofilepage/user-id/124839">@noorbasha534</a>&nbsp;,</P><P>In docs they are giving following example of subject requirements for Azure Devops. So, the&nbsp;subject (sub) claim must uniquely identify the workload. So as long as all of your pipelines resides in the same organization, same project and all of them are using the same service connection then you can have on single policy.</P><LI-CODE lang="python">"iss": "https://vstoken.dev.azure.com/&lt;org_id&gt;" "aud": "api://AzureADTokenExchange" "sub": "sc://my-org/my-project/my-connection"</LI-CODE><P>&nbsp;The same applies to github.</P><LI-CODE lang="python">{ "iss": "https://token.actions.githubusercontent.com", "aud": "https://github.com/my-github-org", "sub": "repo:my-github-org/my-repo:environment:prod" }</LI-CODE><P>So, you can thing of subject in following way:</P><P>"This token was issued for workflows running in the <STRONG>prod</STRONG> environment of <STRONG>my-repo</STRONG> inside <STRONG>my-github-org</STRONG>"</P><P>So as long as your pipelines are defined in the same organization -&gt; repo -&gt; env then you can use single policy.<BR /><BR />This is quite interesting question and I can try to validate on my own environment, but I think I will find time only at the second part of this week.</P> Mon, 29 Sep 2025 17:16:17 GMT https://community.databricks.com/t5/administration-architecture/workload-identity-federation-policy/m-p/133285#M4120 szymon_dybczak 2025-09-29T17:16:17Z