Skip to content

Add support for OIDC ID token authentication using an environment variable. #1215

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
May 6, 2025
Merged

Add support for OIDC ID token authentication using an environment variable. #1215

merged 7 commits into from
May 6, 2025

Conversation

renaudhartert-db
Copy link
Contributor

@renaudhartert-db renaudhartert-db commented May 5, 2025
edited
Loading

What changes are proposed in this pull request?

This PR adds a new way to authenticate by reading OIDC ID tokens from environment variables. By default, the new credential strategy attempts to read the token from DATABRICKS_OIDC_TOKEN. This default value can be overwritten by setting DATABRICKS_OIDC_TOKEN_ENV.

The new authentication mode will be tested before Github OIDC. The rationale is that we consider setting up DATABRICKS_OIDC_TOKEN as a stronger signal of intent than enabling OIDC for the whole Github Action.

This PR also moves IDTokenSource in its own oidc package within the experimental/auth package to clarify that these interfaces are still being validated.

How is this tested?

Complete test coverage of the new source.

@renaudhartert-db renaudhartert-db changed the title Add env var id token source Add support for OIDC ID token authentication using an environment variable. May 5, 2025
hectorcast-db
hectorcast-db reviewed May 6, 2025
View reviewed changes
config/config.go
@@ -108,6 +108,9 @@ type Config struct {
// specified by this argument. This argument also holds currently selected auth.
AuthType string `name:"auth_type" env:"DATABRICKS_AUTH_TYPE" auth:"-"`

// Environment variable name that contains an OIDC ID token.
OIDCTokenEnv string `name:"oidc_token_env" env:"DATABRICKS_OIDC_TOKEN_ENV" auth:"-"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it make sense to read this dynamically from the environment to support "refreshes"?
Note that neither AWS, GCP or Azure seem to support the refresh.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The actual environment variable referred to by this environment variable is read each time the IDTokenSource is called. I'm not sure it's worth also reading this one dynamically.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

True. I missread this as if DATABRICKS_OIDC_TOKEN_ENV itself was the token.

hectorcast-db
hectorcast-db reviewed May 6, 2025
View reviewed changes
@github-actions GitHub Actions
Copy link

github-actions bot commented May 6, 2025

If integration tests don't run automatically, an authorized user can run them manually by following the instructions below:

Trigger:
go/deco-tests-run/sdk-go

Inputs:

  • PR number: 1215
  • Commit SHA: ee02c8ffe4f85d46c824e15a31542024e2a8bf9f

Checks will be approved automatically on success.

@renaudhartert-db renaudhartert-db added this pull request to the merge queue May 6, 2025
Merged via the queue into main with commit 8a6d0df May 6, 2025
15 checks passed
@renaudhartert-db renaudhartert-db deleted the renaud-hartert_data/oidc-env-var branch May 6, 2025 09:54
deco-sdk-tagging bot added a commit that referenced this pull request May 6, 2025
@deco-sdk-tagging
[Release] Release v0.68.0
4f0fe87 
## Release v0.68.0

### New Features and Improvements

- Add support for OIDC ID token authentication using a file
  ([PR #1213](#1213)).
- Add support for OIDC ID token authentication using an environment variable
  ([PR #1215](#1215)).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hectorcast-db hectorcast-db hectorcast-db approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@renaudhartert-db @hectorcast-db