Cap on OIDC (max 20) Enable workload identity federation for GitHub Actions

old_school
New Contributor II

Hi Databricks community,

I have followed below page and created Github OIDCs but there seems to be a cap on how many OIDC's a Service Principal can create (20 max). Is there any work around for this or some other solution apart from using Client ID and secret key for authentication.

ERROR: Too many policies for '<service principal>' (max 20)

Enable workload identity federation for GitHub Actions

https://docs.databricks.com/aws/en/dev-tools/auth/provider-github

Thank you.

 

 

stbjelcevic
Databricks Employee
Databricks Employee

Hi @old_school ,

Most teams end up creating one policy per repo/environment combination. Are you trying to use a single service principle for all of your needs? How many OIDC's would be sufficient for a single service principle in your case?

As far as I can tell, there is no current way to increase the limit.

 

Hi @stbjelcevic ,

Tanks for the prompt reply.

Don't have a concrete number but its definitely more than 20.

Why databricks doesn't provides any wild cards (*) to enable OIDC's ?

stbjelcevic
Databricks Employee
Databricks Employee

I can't speak for specifically why, but allowing wildcards creates security risks and most identity providers and standards guidance require exact, pre-registered URLs.