Resolve TokenAudience from host metadata for account hosts#1543
Merged
hectorcast-db merged 1 commit intomainfrom Mar 17, 2026
Merged
Conversation
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
This was referenced Mar 16, 2026
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
hectorcast-db
force-pushed
the
hectorcast-db/stack/port/resolve-token-audience-from-metadata
branch
from
f6ba199 to
2730c9e
Compare
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
hectorcast-db
force-pushed
the
hectorcast-db/stack/port/resolve-token-audience-from-metadata
branch
from
2730c9e to
9893d9c
Compare
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
github-merge-queue bot
pushed a commit
that referenced
this pull request
Mar 16, 2026
## 🥞 Stacked PR Use this [link](https://github.com/databricks/databricks-sdk-go/pull/1542/files) to review incremental changes. - [**stack/port/resolve-host-metadata-on-init**](#1542) [[Files changed](https://github.com/databricks/databricks-sdk-go/pull/1542/files)] - [stack/port/resolve-token-audience-from-metadata](#1543) [[Files changed](https://github.com/databricks/databricks-sdk-go/pull/1543/files/20b6cd4abc1a3284d586c88f802c4b7df2678062..9893d9cbbfe8baab7f7aeacb8ce7faf49026c86a)] - [stack/port/gcp-sa-token-non-blocking](#1544) [[Files changed](https://github.com/databricks/databricks-sdk-go/pull/1544/files/9893d9cbbfe8baab7f7aeacb8ce7faf49026c86a..07e28b7aef05ada2f357f87faa749c6990be8173)] - [stack/port/test-environment-type](#1545) [[Files changed](https://github.com/databricks/databricks-sdk-go/pull/1545/files/07e28b7aef05ada2f357f87faa749c6990be8173..0da1b0d546ab8842dffbd50aa55fb136bbeffddf)] - [stack/port/host-metadata-integration-test](#1546) [[Files changed](https://github.com/databricks/databricks-sdk-go/pull/1546/files/0da1b0d546ab8842dffbd50aa55fb136bbeffddf..e9854aad19dc522ffe8def175bef3a3eabface2b)] - [stack/port/remove-unified-flag](#1547) [[Files changed](https://github.com/databricks/databricks-sdk-go/pull/1547/files/e9854aad19dc522ffe8def175bef3a3eabface2b..fae626deb92c4671a0c8aa0f1e3e6bad1f8c5cc6)] - [stack/port/gcp-sa-from-metadata](#1548) [[Files changed](https://github.com/databricks/databricks-sdk-go/pull/1548/files/fae626deb92c4671a0c8aa0f1e3e6bad1f8c5cc6..ecb1dbeed4ed1990a74895c6ced958c05f16ffef)] --------- ## Summary - Port of Python SDK PR databricks/databricks-sdk-py#1318 and discovery URL fix from PR databricks/databricks-sdk-py#1332 - Extract `applyHostMetadata()` from `resolveHostMetadata()` for reuse during config init - Call host metadata resolution during `EnsureResolved()` for unified hosts (gated behind `Experimental_IsUnifiedHost`), with non-fatal error handling (warns on failure) - OIDC endpoint from metadata is now treated as the OIDC root, with `/.well-known/oauth-authorization-server` appended to form the full discovery URL ## Test plan - `TestEnsureResolved_ResolvesHostMetadata_WhenUnifiedHost` — verifies fields populated from metadata - `TestEnsureResolved_HostMetadataFailure_NonFatal` — 500 response, config still resolves - `TestEnsureResolved_HostMetadata_NoOidcEndpoint_NonFatal` — missing oidc_endpoint, no error - `TestEnsureResolved_HostMetadata_MissingAccountIdWithPlaceholder_Warns` — template needs account_id but missing - Existing `resolveHostMetadata` tests updated for new discovery URL format NO_CHANGELOG=true This pull request was AI-assisted by Isaac.
Port of Python SDK PR #1321. When host metadata indicates an account host (no workspace_id) and account_id is present, automatically set TokenAudience to the account_id if not already configured by the user. Co-authored-by: Isaac
hectorcast-db
force-pushed
the
hectorcast-db/stack/port/resolve-token-audience-from-metadata
branch
from
9893d9c to
01d8ab7
Compare
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
|
If integration tests don't run automatically, an authorized user can run them manually by following the instructions below: Trigger: Inputs:
Checks will be approved automatically on success. |
hectorcast-db
deleted the
hectorcast-db/stack/port/resolve-token-audience-from-metadata
branch
1 task
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🥞 Stacked PR
Use this link to review incremental changes.
Summary
TokenAudienceto the account_id if not already configuredTest plan
TestApplyHostMetadata_SetsTokenAudienceForAccountHost— no workspace_id, has account_id → setTestApplyHostMetadata_NoTokenAudienceForWorkspaceHost— has workspace_id → not setTestApplyHostMetadata_DoesNotOverrideExistingTokenAudience— pre-set value preservedNO_CHANGELOG=true
This pull request was AI-assisted by Isaac.