Databricks Community

Nisha_Tech · ‎10-14-2025

I am using a service principal with workspace admin access to deploy Databricks asset bundles. The deployment works successfully via Jenkins using the same credentials and commands. However, when attempting the deployment through GitHub Actions, I encounter the following error:

Error: failed during request visitor: inner token: AADSTS70025: The client '***' has no configured federated identity credentials

What could be causing this issue? Are there additional configuration steps required for GitHub Actions to authenticate with Databricks using a service principal? Any guidance would be appreciated.

Databricks cli version: v0.252.0

Terraform Binary: 1.12.0
Terraform Provider: 1.79.0
Commands used:

.databrickscfg
#profileName 
[DEFAULT]
host=https://adb-***.azuredatabricks.net
azure_tenant_id=***
azure_client_id=***
azure_client_secret=***

databricks auth profiles
databricks bundle validate -t dev -p DEFAULT

szymon_dybczak · ‎10-14-2025

Hi @Nisha_Tech ,

It seems that for some reason github actions wants to authenticate osuing OAuth Token federation:

Authenticate access to Databricks using OAuth token federation | Databricks on AWS

I guess that you want to authenticate using SP. Could you check if you've done all required steps? They are described at below articles:

Authorize service principal access to Databricks with OAuth | Databricks on AWS

Service principals for CI/CD | Databricks on AWS

Nisha_Tech · ‎10-14-2025

Hi @szymon_dybczak ,

Thank you for your response.

We do not want to enable OAuth tokens on service principals as it is not permissible. The service principal we are using can deploy to the Databricks workspace without OAuth when using Jenkins. Why is GitHub Actions specifically requiring an OAuth token? Is there a particular restriction or configuration difference for GitHub Actions?

Thanks,

szymon_dybczak · ‎10-15-2025

Hi @Nisha_Tech ,

Ok, got it. Github Actions should also support MS Entra service principal authentication but I guess you need to configure it a different way.

Could you try to configure it in the same way they recommend in documentation?

Service principals for CI/CD - Azure Databricks | Microsoft Learn

I guess if you configure AZURE_CREDENTIAL then you can use Azure Login action which will perform authentication for your session. There's a good example how to use that at below link:

Authenticate to Azure from GitHub Actions by a secret | Microsoft Learn

Hi @Nisha_Tech ,

Ok, got it. Github Actions should also support MS Entra service principal authentication but I guess you need to configure it a different way.

Could you try to configure it in the same way they recommend in documentation?

Service principals for CI/CD - Azure Databricks | Microsoft Learn

I guess if you configure AZURE_CREDENTIAL then you can use Azure Login action which will perform authentication for your session. There's a good example how to use that at below link:

Authenticate to Azure from GitHub Actions by a secret | Microsoft Learn

Unfortunately, I can't check it myself because at current project I have only access to Azure Devops.

bendakota · yesterday

I recently ran into a similar issue attempting to deploy with the Terraform Databricks provider:

provider "databricks" {

host = <host>

azure_workspace_resource_id = <workspace_resource_id>

azure_client_id = <azure_client_id>

azure_client_secret = <azure_client_secret>

azure_tenant_id = <tenant_id>

}

And locally the deployment worked just fine, but the exact same code via Github actions resulted in:

> Failed during request visitor: error getting token: AADSTS70025: The client '<client-id>'(<client-name>) has no configured federated identity credentials

The solution was to set an environment variable for the github action:

env:

DATABRICKS_AUTH_TYPE: azure-client-secret

GitHub Actions provides OIDC tokens automatically, and the Databricks provider has built-in logic to detect and prefer OIDC/federated identity when available. Even though your provider configuration explicitly sets azure_client_id and azure_client_secret, the provider was detecting GitHub's OIDC environment and trying that first - which failed because your environment-specific SP doesn't have federated identity credentials configured.

The DATABRICKS_AUTH_TYPE environment variable explicitly tells the Databricks provider which authentication method to use. By setting it to azure-client-secret, we force it to use the traditional Azure Service Principal authentication with client_id/client_secret, and prevent it from auto-detecting and trying to use GitHub Actions OIDC tokens.

Hubert-Dudek · 5 hours ago

Environment variables override .databrickscfg, that's why it is probably failing to OIDC.

Make sure that you have correct specification in your databricks.yml so it will be source of true. Smth like:

- name: Deploy bundle
  env:
    DATABRICKS_HOST: https://adb-***.azuredatabricks.net
    ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
    ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
    ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}

Databricks Community

Databricks Asset Bundle Deployment Fails in GitHub Actions with Federated Identity Credentials

Join Us as a Local Community Builder!

Lakehouse, Lagers & Legends — Bangalore Meetup | December 13

🌟 Community Pulse: Your Weekly Roundup! November 21 – 27, 2025

Join us for another BrickTalk: Vibe-Coding Databricks Apps in Replit with Augusto!

Celebrating Our First Brickster Champion: Louis Frolio

⭐ Setup Spark with Hadoop Anywhere : A DBR aligned local Spark+HDFS+Hive stack on Docker⭐