Cap on OIDC (max 20) Enable workload identity federation for GitHub Actions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-24-2025 12:00 AM - edited 11-24-2025 12:01 AM
Hi Databricks community,
I have followed below page and created Github OIDCs but there seems to be a cap on how many OIDC's a Service Principal can create (20 max). Is there any work around for this or some other solution apart from using Client ID and secret key for authentication.
ERROR: Too many policies for '<service principal>' (max 20)
Enable workload identity federation for GitHub Actions
https://docs.databricks.com/aws/en/dev-tools/auth/provider-github
Thank you.
- Labels:
-
Partner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-24-2025 10:43 AM
Hi @old_school ,
Most teams end up creating one policy per repo/environment combination. Are you trying to use a single service principle for all of your needs? How many OIDC's would be sufficient for a single service principle in your case?
As far as I can tell, there is no current way to increase the limit.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-24-2025 10:45 PM
Hi @stbjelcevic ,
Tanks for the prompt reply.
Don't have a concrete number but its definitely more than 20.
Why databricks doesn't provides any wild cards (*) to enable OIDC's ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-25-2025 11:14 AM
I can't speak for specifically why, but allowing wildcards creates security risks and most identity providers and standards guidance require exact, pre-registered URLs.