Yes, Databricks federation policy can support cross-cloud authentication, allowing the use of external identity providers (IdPs) that may reside in different clouds. This includes scenarios where tokens issued by trusted IdPs—such as those for service principals running in different cloud platforms, like Azure, AWS, or GCP—can be federated for Databricks API access or Delta Sharing.

How Federation Policy Enables Cross-Cloud Authentication

• Databricks supports account-wide token federation and workload identity federation, which allow the configuration of federation policies that define trusted issuers (IdPs), including Kubernetes clusters and other cloud-native identity services.

• The platform validates tokens issued by these IdPs by referencing their well-known endpoints and JSON Web Key Sets (JWKS), provided the IdP is controlled and trusted by the organization.

• This mechanism allows, for example, a service principal in Azure Databricks to authenticate using tokens received from a GCP (Google Cloud Platform) Kubernetes cluster, as long as the federation policy is configured to accept that particular Kubernetes issuer as a trusted IdP