Skip to main content

Enable workload identity federation for GitHub Actions

Preview

Databricks OAuth token federation is in Public Preview.

Databricks OAuth token federation, also known as OpenID Connect (OIDC), allows your automated workloads running outside of Databricks to securely access Databricks without the need for Databricks secrets. See Authenticate access to Databricks using OAuth token federation.

To enable workload identity federation for GitHub Actions:

  1. Create a federation policy
  2. Configure the GitHub Actions YAML file

After you enable workload identity federation, the Databricks SDKs and the Databricks CLI automatically fetch workload identity tokens from GitHub and exchange them for Databricks OAuth tokens.

Create a federation policy

First, use the Databricks CLI to create a workload identity federation policy. For GitHub, set the following values for the policy:

  • issuer: https://token.actions.githubusercontent.com
  • audiences: the repository URL. Or you can omit this field and the Databricks account ID is used instead.
  • subject: a concatenation of values taken from the GitHub Actions job context
note

To ensure that your Github Actions subject is consistent, Databricks recommends specifying an environment. See Using environments for deployment and Filtering for a specific environment.

For example, given a GitHub repository named my-repo that belongs to a GitHub organization named my-org, with a Databricks service principal numeric ID of 5581763342009999, create a federation policy using the following Databricks CLI command:

Bash
databricks account service-principal-federation-policy create 5581763342009999 --json '{
  "oidc_policy": {
	"issuer": "https://token.actions.githubusercontent.com",
	"audiences": [
  	  "https://github.com/my-org"
	],
	"subject": "repo:my-github-org/my-repo:environment:prod"
  }
}'

Configure the GitHub Actions YAML file

Next, configure the GitHub Actions YAML file. Set the following environment variables:

  • DATABRICKS_AUTH_TYPE: github-oidc
  • DATABRICKS_HOST: your Databricks workspace URL
  • DATABRICKS_CLIENT_ID: the service principal (application) ID
YAML
name: GitHub Actions Demo
run-name: ${{ github.actor }} is testing out GitHub Actions 🚀
on: workflow_dispatch

permissions:
  id-token: write
  contents: read

jobs:
  my_script_using_wif:
    runs-on: ubuntu-latest
    environment: prod
    env:
      DATABRICKS_AUTH_TYPE: github-oidc
      DATABRICKS_HOST: https://my-workspace.cloud.databricks.com/
      DATABRICKS_CLIENT_ID: a1b2c3d4-ee42-1eet-1337-f00b44r

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Install Databricks CLI
        uses: databricks/setup-cli@main

      - name: Run Databricks CLI commands
        run: databricks current-user me
Last updated on