terraform-provider-databricks icon indicating copy to clipboard operation
terraform-provider-databricks copied to clipboard
verified publisher icon databricks

[ISSUE] Auth with Azure OIDC

Open mpostument opened this issue 4 months ago • 2 comments

Configuration

provider "databricks" {
  host                        = module.infra.databricks_workspace_url
  azure_workspace_resource_id = module.infra.databricks_workspace_id

resource "databricks_service_principal" "sp" {
  application_id        = module.infra.user_assigned_identity_client_id
  display_name          = var.name
  allow_cluster_create  = true
  databricks_sql_access = true
  workspace_access      = true
}

Separate module

resource "azurerm_databricks_workspace" "this" {
  name                = var.name
  location            = var.location
  resource_group_name = var.resource_group_name
  sku                 = "standard"

  tags = var.tags
}

output "workspace_url" {
  description = "Workspace URL for Databricks"
  value       = azurerm_databricks_workspace.this.workspace_url
}

output "workspace_id" {
  description = "Workspace ID for DataBricks"
  value       = azurerm_databricks_workspace.this.id
}

Expected Behavior

Service principal successfully created

Actual Behavior

Error: cannot create service principal: failed during request visitor: default auth: cannot configure default credentials, please check https://docs.databricks.com/en/dev-tools/auth.html#databricks-client-unified-authentication to configure credentials for your preferred authentication method. Config: host=https://adb-3527191611191700.0.azuredatabricks.net/, azure_client_id=SECRET, azure_tenant_id=SECRET. Env: ARM_CLIENT_ID, ARM_TENANT_ID

Steps to Reproduce

  1. terraform apply

Terraform and provider versions

OpenTofu v1.10.6 on linux_amd64 databricks - 1.95.0

Debug Output

mpostument avatar Oct 27 '25 15:10 mpostument

You need to use the same identity that was used to create a workspace. https://registry.terraform.io/providers/databricks/databricks/latest/docs#special-configurations-for-azure

WIF/OIDC could be used, but it requires an SP already in the workspace: https://registry.terraform.io/providers/databricks/databricks/latest/docs#authenticating-with-workload-identity-federation-wif & https://registry.terraform.io/providers/databricks/databricks/latest/docs#special-configurations-for-azure

alexott avatar Oct 28 '25 18:10 alexott

@alexott i used the same entity for workspace creation and SP creation. But it didn't worked We come up with workaround using az cli as auth. But would be nice to have it working without it

resource "null_resource" "az_login" {
  triggers = {
    dr_client_id = module.infra.user_assigned_identity_client_id
  }

  provisioner "local-exec" {
    command = "az login --service-principal -u $ARM_CLIENT_ID -t $ARM_TENANT_ID --federated-token \"$(cat $ARM_OIDC_TOKEN_FILE_PATH)\""
  }
}

provider "databricks" {
  host       = azurerm_databricks_workspace.this.workspace_url
  auth_type  = "azure-cli"
  account_id = data.azurerm_subscription.current.subscription_id
}

mpostument avatar Oct 29 '25 10:10 mpostument