Skip to main content

Enable workload identity federation for GitHub Actions

Databricks OAuth token federation, also known as OpenID Connect (OIDC), allows your automated workloads running outside of Databricks to securely access Databricks without the need for Databricks secrets. See Authenticate access to Databricks using OAuth token federation.

To enable workload identity federation for GitHub Actions:

  1. Create a federation policy
  2. Configure the GitHub Actions YAML file

After you enable workload identity federation, the Databricks SDKs and the Databricks CLI automatically fetch workload identity tokens from GitHub and exchange them for Databricks OAuth tokens.

Create a federation policy

First, create a workload identity federation policy. For instructions, see Configure a service principal federation policy. For GitHub, set the following values for the policy:

  • Organization: The name of your Github organization. For example, if your repository URL is https://github.com/databricks-inc/data-platform, then the organization is databricks-inc.
  • Repository: The name of the single repository to allow, such as data-platform.
  • Entity type: The kind of GitHub entity represented in the sub (subject) claim of your token. The default is Branch. Databricks recommends using Environment, which you can enable by setting the environment attribute in your GitHub Actions YAML file. See Deploying to a specific environment.
  • Issuer URL: https://token.actions.githubusercontent.com
  • Subject: A string formed by concatenating values from the GitHub Actions job context.
  • Audiences: The repository URL. If omitted, the Databricks account ID is used by default.
  • Subject claim: (Optional) The JWT claim that contains the workload identity (sub) value from the OIDC token. For GitHub, leave the field as sub, which encodes the repository, branch, tag, pull/merge request, or environment that triggered the workflow.

For example, the following Databricks CLI command creates a federation policy for an organization named my-org and a Databricks service principal numeric ID of 5581763342009999:

Bash
databricks account service-principal-federation-policy create 5581763342009999 --json '{
  "oidc_policy": {
	"issuer": "https://token.actions.githubusercontent.com",
	"audiences": [
  	  "https://github.com/my-org"
	],
	"subject": "repo:my-github-org/my-repo:environment:prod"
  }
}'

Configure the GitHub Actions YAML file

Next, configure the GitHub Actions YAML file. Set the following environment variables:

  • DATABRICKS_AUTH_TYPE: github-oidc
  • DATABRICKS_HOST: Your Databricks workspace URL
  • DATABRICKS_CLIENT_ID: The service principal (application) ID
YAML
name: GitHub Actions Demo
run-name: ${{ github.actor }} is testing out GitHub Actions 🚀
on: workflow_dispatch

permissions:
  id-token: write
  contents: read

jobs:
  my_script_using_wif:
    runs-on: ubuntu-latest
    environment: prod
    env:
      DATABRICKS_AUTH_TYPE: github-oidc
      DATABRICKS_HOST: https://my-workspace.cloud.databricks.com/
      DATABRICKS_CLIENT_ID: a1b2c3d4-ee42-1eet-1337-f00b44r

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Install Databricks CLI
        uses: databricks/setup-cli@main

      - name: Run Databricks CLI commands
        run: databricks current-user me
Last updated on