topic Re: Databricks Asset Bundle Deployment Fails in GitHub Actions with Federated Identity Credentials in Administration & Architecture

Databricks Asset Bundle Deployment Fails in GitHub Actions with Federated Identity Credentials

Nisha_Tech — Tue, 14 Oct 2025 09:33:38 GMT

I am using a service principal with workspace admin access to deploy Databricks asset bundles. The deployment works successfully via Jenkins using the same credentials and commands. However, when attempting the deployment through GitHub Actions, I encounter the following error:

Error: failed during request visitor: inner token: AADSTS70025: The client '***' has no configured federated identity credentials

What could be causing this issue? Are there additional configuration steps required for GitHub Actions to authenticate with Databricks using a service principal? Any guidance would be appreciated.

Databricks cli version: v0.252.0

Terraform Binary: 1.12.0
Terraform Provider: 1.79.0
Commands used:

.databrickscfg #profileName [DEFAULT] host=https://adb-***.azuredatabricks.net azure_tenant_id=*** azure_client_id=*** azure_client_secret=*** databricks auth profiles databricks bundle validate -t dev -p DEFAULT

Re: Databricks Asset Bundle Deployment Fails in GitHub Actions with Federated Identity Credentials

szymon_dybczak — Tue, 14 Oct 2025 10:19:47 GMT

Hi @Nisha_Tech ,

It seems that for some reason github actions wants to authenticate osuing OAuth Token federation:

Authenticate access to Databricks using OAuth token federation | Databricks on AWS

I guess that you want to authenticate using SP. Could you check if you've done all required steps? They are described at below articles:

Authorize service principal access to Databricks with OAuth | Databricks on AWS

Service principals for CI/CD | Databricks on AWS

Re: Databricks Asset Bundle Deployment Fails in GitHub Actions with Federated Identity Credentials

Nisha_Tech — Wed, 15 Oct 2025 02:08:13 GMT

Hi @szymon_dybczak ,

Thank you for your response.

We do not want to enable OAuth tokens on service principals as it is not permissible. The service principal we are using can deploy to the Databricks workspace without OAuth when using Jenkins. Why is GitHub Actions specifically requiring an OAuth token? Is there a particular restriction or configuration difference for GitHub Actions?

Thanks,

Re: Databricks Asset Bundle Deployment Fails in GitHub Actions with Federated Identity Credentials

szymon_dybczak — Wed, 15 Oct 2025 07:23:37 GMT

Hi @Nisha_Tech ,

Ok, got it. Github Actions should also support MS Entra service principal authentication but I guess you need to configure it a different way.

Could you try to configure it in the same way they recommend in documentation?

Service principals for CI/CD - Azure Databricks | Microsoft Learn

I guess if you configure AZURE_CREDENTIAL then you can use Azure Login action which will perform authentication for your session. There's a good example how to use that at below link:

Authenticate to Azure from GitHub Actions by a secret | Microsoft Learn

Hi @Nisha_Tech ,

Ok, got it. Github Actions should also support MS Entra service principal authentication but I guess you need to configure it a different way.

Could you try to configure it in the same way they recommend in documentation?

Service principals for CI/CD - Azure Databricks | Microsoft Learn

I guess if you configure AZURE_CREDENTIAL then you can use Azure Login action which will perform authentication for your session. There's a good example how to use that at below link:

Authenticate to Azure from GitHub Actions by a secret | Microsoft Learn

Unfortunately, I can't check it myself because at current project I have only access to Azure Devops.

Re: Databricks Asset Bundle Deployment Fails in GitHub Actions with Federated Identity Credentials

bendakota — Wed, 03 Dec 2025 21:52:56 GMT

I recently ran into a similar issue attempting to deploy with the Terraform Databricks provider:

provider "databricks" {

host = <host>

azure_workspace_resource_id = <workspace_resource_id>

azure_client_id = <azure_client_id>

azure_client_secret = <azure_client_secret>

azure_tenant_id = <tenant_id>

}

And locally the deployment worked just fine, but the exact same code via Github actions resulted in:

> Failed during request visitor: error getting token: AADSTS70025: The client '<client-id>'(<client-name>) has no configured federated identity credentials

The solution was to set an environment variable for the github action:

env:

DATABRICKS_AUTH_TYPE: azure-client-secret

GitHub Actions provides OIDC tokens automatically, and the Databricks provider has built-in logic to detect and prefer OIDC/federated identity when available. Even though your provider configuration explicitly sets azure_client_id and azure_client_secret, the provider was detecting GitHub's OIDC environment and trying that first - which failed because your environment-specific SP doesn't have federated identity credentials configured.

The DATABRICKS_AUTH_TYPE environment variable explicitly tells the Databricks provider which authentication method to use. By setting it to azure-client-secret, we force it to use the traditional Azure Service Principal authentication with client_id/client_secret, and prevent it from auto-detecting and trying to use GitHub Actions OIDC tokens.

Re: Databricks Asset Bundle Deployment Fails in GitHub Actions with Federated Identity Credentials

Hubert-Dudek — Thu, 04 Dec 2025 10:45:54 GMT

Environment variables override .databrickscfg, that's why it is probably failing to OIDC.

Make sure that you have correct specification in your databricks.yml so it will be source of true. Smth like:

- name: Deploy bundle env: DATABRICKS_HOST: https://adb-***.azuredatabricks.net ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}