databricks-sdk-go icon indicating copy to clipboard operation
databricks-sdk-go copied to clipboard

Published 20 hours ago verified publisher icon databricks

Add ARM_USE_OIDC auth type

Open tanmay-db opened this issue 1 year ago • 4 comments

https://nedinthecloud.com/2022/06/08/using-oidc-authentication-with-the-azurerm-backend/ https://colinsalmcorner.com/using-oidc-with-terraform-in-github-actions/

tanmay-db avatar Jun 13 '23 14:06 tanmay-db

Hi @tanmay-db I'm not sure to understand if it's possible to authentify the databricks terraform provider using oidc like we do with terraform azurerm provider ? I read the links you mentionned (and issue) but it's not clear for me. I'm using Terraform Cloud to deploy my resources on Azure.

provider "azurerm" {
  features {}

  tenant_id       = var.tenant_id
  subscription_id = var.subscription_id
}

provider "azuread" {
  tenant_id     = var.tenant_id
}

provider "databricks" {
  host                        = azurerm_databricks_workspace.databricks.workspace_url
  azure_workspace_resource_id = azurerm_databricks_workspace.databricks.id
}

I would expect the databricks provider to connect to databricks using the same OIDC worflow than azurerm but it's not happening.

To enable azurerm OIDC auth workflow I just had to create federated credentials to trust Terraform Cloud in Azure for the service principal and then add the following env variables to Terraform Cloud workspace: TFC_AZURE_PROVIDER_AUTH=true TFC_AZURE_RUN_CLIENT_ID=<CLIENT_ID>

What should I do to enable OIDC for Databricks provider ?

Thank you very much

loureirodnl avatar Aug 04 '23 13:08 loureirodnl

@loureirodnl I dont use terraform cloud, but it is possible for regular TF for sure, it is difficult to get it to work with current options. Essentially this issue is here to get this working more slimply like in the AzureRM provider with the env var ARM_USE_OIDC: true

In my github actions I essentially run this:

jobs:
  x:
   (..)
   steps:
    - name: FetchBearerToken
      shell: bash
      id: bearer
      run: |
        DATABRICKS_AAD_TOKEN=`az account get-access-token --resource 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d | jq -r '.accessToken'`

        echo "[DEFAULT]
        host = ${{ inputs.workspace }}
        token = $DATABRICKS_AAD_TOKEN
        jobs-api-version = 2.1" > ~/.databrickscfg

        cat ~/.databrickscfg

     - name: terraform plan (...)

To make things more difficult, the env vars ARM_CLIENT_ID or ARM_TENANT_ID cannot be set, or OIDC will not be used regardless with the current provider version.

audunsolemdal avatar Aug 04 '23 15:08 audunsolemdal

any news on this?

Roshick avatar Feb 06 '24 17:02 Roshick

This becomes more important now that federated credentials are GA and soon to be the default setup method in Azure DevOps

dsfrederic avatar Feb 19 '24 19:02 dsfrederic

any news on this?

juicybaba avatar Oct 21 '24 17:10 juicybaba

Don't think the flag is available, but it is not possible to set this

provider "databricks" {
  host = "https://xxxxxx.azuredatabricks.net"
}

provider "databricks" {
  host       = "https://accounts.azuredatabricks.net"
  account_id = "xxxx"
  alias      = "account"
}
  • using ARM_CLIENT_ID, ARM_TENANT_ID in conjunction which was the original issue here https://github.com/databricks/terraform-provider-databricks/issues/2234

Not sure exactly which version fixed the issues with OIDC, but they seem to be solved, and the workaround described here is no longer needed https://github.com/databricks/databricks-sdk-go/issues/495#issuecomment-1665783625

audunsolemdal avatar Nov 26 '24 10:11 audunsolemdal