cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Databricks Asset Bundle Deployment Fails in GitHub Actions with Federated Identity Credentials

Nisha_Tech
New Contributor II

3 weeks ago

I am using a service principal with workspace admin access to deploy Databricks asset bundles. The deployment works successfully via Jenkins using the same credentials and commands. However, when attempting the deployment through GitHub Actions, I encounter the following error:

Error: failed during request visitor: inner token: AADSTS70025: The client '***' has no configured federated identity credentials

What could be causing this issue? Are there additional configuration steps required for GitHub Actions to authenticate with Databricks using a service principal? Any guidance would be appreciated.

Databricks cli version: v0.252.0

Terraform Binary: 1.12.0
Terraform Provider: 1.79.0
Commands used:

.databrickscfg
#profileName 
[DEFAULT]
host=https://adb-***.azuredatabricks.net
azure_tenant_id=***
azure_client_id=***
azure_client_secret=***

databricks auth profiles
databricks bundle validate -t dev -p DEFAULT

 

Labels:
0 Kudos
3 REPLIES 3

szymon_dybczak
Esteemed Contributor III

3 weeks ago

Hi @Nisha_Tech ,

It seems that for some reason github actions wants to authenticate osuing OAuth Token federation:

Authenticate access to Databricks using OAuth token federation | Databricks on AWS

I guess that you want to authenticate using SP. Could you check if you've done all required steps? They are described at below articles:

Authorize service principal access to Databricks with OAuth | Databricks on AWS

Service principals for CI/CD | Databricks on AWS

0 Kudos

Nisha_Tech
New Contributor II
In response to szymon_dybczak

3 weeks ago

Hi @szymon_dybczak , 

Thank you for your response. 

We do not want to enable OAuth tokens on service principals as it is not permissible. The service principal we are using can deploy to the Databricks workspace without OAuth when using Jenkins. Why is GitHub Actions specifically requiring an OAuth token? Is there a particular restriction or configuration difference for GitHub Actions?


Thanks,

0 Kudos

szymon_dybczak
Esteemed Contributor III
In response to Nisha_Tech

3 weeks ago - last edited 3 weeks ago

Hi @Nisha_Tech ,

Ok, got it. Github Actions should also support MS Entra service principal authentication but I guess you need to configure it a different way.

Could you try to configure it in the same way they recommend in documentation?

Service principals for CI/CD - Azure Databricks | Microsoft Learn

I guess if you configure AZURE_CREDENTIAL then you can use Azure Login action which will perform authentication for your session. There's a good example how to use that at below link:

Authenticate to Azure from GitHub Actions by a secret | Microsoft Learn 

szymon_dybczak_0-1760512941350.png

Hi @Nisha_Tech ,

Ok, got it. Github Actions should also support MS Entra service principal authentication but I guess you need to configure it a different way.

Could you try to configure it in the same way they recommend in documentation?

Service principals for CI/CD - Azure Databricks | Microsoft Learn

I guess if you configure AZURE_CREDENTIAL then you can use Azure Login action which will perform authentication for your session. There's a good example how to use that at below link:

Authenticate to Azure from GitHub Actions by a secret | Microsoft Learn 

szymon_dybczak_0-1760512941350.png

Unfortunately, I can't check it myself because at current project I have only access to Azure Devops.

 

0 Kudos

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local community—sign up today to get started!

Sign Up Now
Announcements