cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Lakebase / Feature Store error: “Failed to get identity details for username” (service principal)

Go to solution
ticuss
New Contributor

3 weeks ago

Hello,
I’m running into a Lakebase / Feature Store issue related to service principal authentication when trying to log or read from the Databricks Feature Store. Migrating from the legacy online tables.  

Here’s the exact error:
psycopg2.OperationalError: connection to server at "instance.database.cloud.databricks.com" (private_ip), port 5432 failed: FATAL: Failed to get identity details for username: "user_uuid". Please reach out to Databricks support. From the serving enpoint. 

Context

  • Using: databricks.feature_engineering.FeatureEngineeringClient = 0.13.0
  • Logging model via: fe.log_model(...)
  • MLflow registry URI: databricks-uc
  • Runtime: 14.3 LTS ML
  • Unity Catalog and Lakebase are enabled
  • The service principal exists in Unity Catalog and appears in system audit logs and permission tables

Observation

A minimal Lakebase training example (such as the default Feature Store + sklearn demo) runs without any issues the model is logged, registered, and the values are retrieved correctly from the lakebase for the model prediction when requesting from the serving endpoint.
The problem only appears when running a custom training pipeline. 


What I’ve verified

  • It appears in the system audit logs (system.access.audit) With the correct permissions accesses.
  • It’s present in permissions tables (permissions, identities, etc.)
  • Minimal Lakebase example (with sklearn + Feature Store) works fine

Is there a known limitation or configuration step required for service principals (serving endpoints) to authenticate against Lakebase ? Or some limitations when deploying custom models with the feature engineering lib related to the lakebase features retrieval ? 

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
mark_ott
Databricks Employee
Databricks Employee

3 weeks ago

The error you’re encountering —
psycopg2.OperationalError: FATAL: Failed to get identity details for username: "user_uuid" — typically arises from an OAuth identity mismatch or invalid token scope when a Databricks service principal is used to authenticate against a Lakebase Feature Store database instance.

Here’s how to interpret and resolve this issue.

Root Cause

Lakebase requires OAuth-based identity validation when authenticating to its Postgres-compatible endpoint. Each connection validates that the token’s Databricks identity (service principal or user) matches the security label (Postgres role) configured for the Lakebase instance.

Your custom pipeline likely triggers the mismatch because:

  • The service principal token used by the serving endpoint is not correctly scoped to the Lakebase database’s workspace identity.

  • The token may have been generated from a different workspace, or the identity context (client_id / secret) used by the FeatureEngineering library is not resolving to the role assigned to the Lakebase instance.

  • Minimal examples succeed because they run under a user context that matches the workspace’s identity, while custom pipelines use machine-to-machine (M2M) credentials.​

Authentication Requirements

To resolve the issue, ensure these conditions are met as per the official Databricks Lakebase documentation :​

  1. Tokens must be workspace-scoped
    OAuth tokens are valid only within the workspace owning the Lakebase database. Cross-workspace token usage is unsupported.

  2. Correct Service Principal Configuration
    The service principal must:

    • Be explicitly assigned to the workspace hosting the database (databricks accounts assign-service-principal-to-workspace).

    • Have the necessary Unity Catalog permissions for both the feature table and the Lakebase database instance.

  3. Generate the Token in a Machine-to-Machine Flow

    You must mint an OAuth token specifically for the database context:

    bash
    databricks database generate-database-credential \ --request-id $(uuidgen) \ --json '{"instance_names": ["<db-instance-name>"]}'

    This returns a JSON payload such as:

    json
    { "expiration_time": "2025-10-24T14:15:22Z", "token": "DATABRICKS_OAUTH_TOKEN" }

    Then, use the token as your Postgres password in your feature-serving endpoint configuration.

  4. Verify Token Identity

    Use the following command to ensure the identity bound to the token matches the expected role:

    python
    from databricks.sdk import WorkspaceClient w = WorkspaceClient() print(w.current_user.me().user_name)

    The output must match the service principal configured in Unity Catalog and granted access to the Feature Store database.

  5. Ensure SSL is Enabled
    Token-based login requires SSL (Lakebase enforces authenticated, encrypted sessions only).

Known Limitations

From Databricks documentation and the current Feature Store runtime behavior :​

  • Cross-workspace feature retrieval is unsupported.

  • Only Unity Catalog–managed feature tables can be accessed through Lakebase.

  • The service principal identity must exist and be directly linked in the permissions tables (it will not inherit access transitively from groups).

  • Tokens expire every hour, but connections remain active until closed — rotation is required for long-running processes.

Recommended Fix Path

  1. Regenerate a M2M OAuth token using the same workspace where the Lakebase instance resides.

  2. Confirm the service principal appears in:

    • system.access.audit (successful OAuth handshake)

    • information_schema.role_authorization_descriptors

  3. Update your custom model code to pass the correct token to FeatureEngineeringClient():

    python
    fe = FeatureEngineeringClient( host="https://<your-instance>.cloud.databricks.com", client_id="<service_principal_id>", client_secret="<service_principal_secret>" )

  4. Re-log the model with fe.log_model(...) once the identity context matches.

If the issue persists, Databricks support recommends checking if your workspace has Public Preview access for Lakebase M2M OAuth, as it’s still rolling out progressively by region.

View solution in original post

1 REPLY 1

Go to solution
mark_ott
Databricks Employee
Databricks Employee

3 weeks ago

The error you’re encountering —
psycopg2.OperationalError: FATAL: Failed to get identity details for username: "user_uuid" — typically arises from an OAuth identity mismatch or invalid token scope when a Databricks service principal is used to authenticate against a Lakebase Feature Store database instance.

Here’s how to interpret and resolve this issue.

Root Cause

Lakebase requires OAuth-based identity validation when authenticating to its Postgres-compatible endpoint. Each connection validates that the token’s Databricks identity (service principal or user) matches the security label (Postgres role) configured for the Lakebase instance.

Your custom pipeline likely triggers the mismatch because:

  • The service principal token used by the serving endpoint is not correctly scoped to the Lakebase database’s workspace identity.

  • The token may have been generated from a different workspace, or the identity context (client_id / secret) used by the FeatureEngineering library is not resolving to the role assigned to the Lakebase instance.

  • Minimal examples succeed because they run under a user context that matches the workspace’s identity, while custom pipelines use machine-to-machine (M2M) credentials.​

Authentication Requirements

To resolve the issue, ensure these conditions are met as per the official Databricks Lakebase documentation :​

  1. Tokens must be workspace-scoped
    OAuth tokens are valid only within the workspace owning the Lakebase database. Cross-workspace token usage is unsupported.

  2. Correct Service Principal Configuration
    The service principal must:

    • Be explicitly assigned to the workspace hosting the database (databricks accounts assign-service-principal-to-workspace).

    • Have the necessary Unity Catalog permissions for both the feature table and the Lakebase database instance.

  3. Generate the Token in a Machine-to-Machine Flow

    You must mint an OAuth token specifically for the database context:

    bash
    databricks database generate-database-credential \ --request-id $(uuidgen) \ --json '{"instance_names": ["<db-instance-name>"]}'

    This returns a JSON payload such as:

    json
    { "expiration_time": "2025-10-24T14:15:22Z", "token": "DATABRICKS_OAUTH_TOKEN" }

    Then, use the token as your Postgres password in your feature-serving endpoint configuration.

  4. Verify Token Identity

    Use the following command to ensure the identity bound to the token matches the expected role:

    python
    from databricks.sdk import WorkspaceClient w = WorkspaceClient() print(w.current_user.me().user_name)

    The output must match the service principal configured in Unity Catalog and granted access to the Feature Store database.

  5. Ensure SSL is Enabled
    Token-based login requires SSL (Lakebase enforces authenticated, encrypted sessions only).

Known Limitations

From Databricks documentation and the current Feature Store runtime behavior :​

  • Cross-workspace feature retrieval is unsupported.

  • Only Unity Catalog–managed feature tables can be accessed through Lakebase.

  • The service principal identity must exist and be directly linked in the permissions tables (it will not inherit access transitively from groups).

  • Tokens expire every hour, but connections remain active until closed — rotation is required for long-running processes.

Recommended Fix Path

  1. Regenerate a M2M OAuth token using the same workspace where the Lakebase instance resides.

  2. Confirm the service principal appears in:

    • system.access.audit (successful OAuth handshake)

    • information_schema.role_authorization_descriptors

  3. Update your custom model code to pass the correct token to FeatureEngineeringClient():

    python
    fe = FeatureEngineeringClient( host="https://<your-instance>.cloud.databricks.com", client_id="<service_principal_id>", client_secret="<service_principal_secret>" )

  4. Re-log the model with fe.log_model(...) once the identity context matches.

If the issue persists, Databricks support recommends checking if your workspace has Public Preview access for Lakebase M2M OAuth, as it’s still rolling out progressively by region.

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local community—sign up today to get started!

Sign Up Now
Announcements