Use host metadata to determine GCP SA token requirement#1548
Closed
hectorcast-db wants to merge 11 commits intomainfrom
Closed
Use host metadata to determine GCP SA token requirement#1548hectorcast-db wants to merge 11 commits intomainfrom
hectorcast-db wants to merge 11 commits intomainfrom
Conversation
Port of Python SDK PR #1318 and discovery URL fix from PR #1332. Extract applyHostMetadata() from resolveHostMetadata() for reuse. Call host metadata resolution during EnsureResolved() for unified hosts, with non-fatal error handling (warns on failure instead of failing). The OIDC endpoint from metadata is now treated as the OIDC root, with /.well-known/oauth-authorization-server appended to form the full discovery URL. Co-authored-by: Isaac
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
This was referenced Mar 16, 2026
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
Instead of silently ignoring the error from fixHostIfNeeded(), log it as a warning before skipping host metadata resolution. Co-authored-by: Isaac
hectorcast-db
force-pushed
the
hectorcast-db/stack/port/gcp-sa-from-metadata
branch
from
64e25de to
e75b8e4
Compare
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
Port of Python SDK PR #1321. When host metadata indicates an account host (no workspace_id) and account_id is present, automatically set TokenAudience to the account_id if not already configured by the user. Co-authored-by: Isaac
Port of Python SDK PR #1330. Add serviceToServiceVisitorWithFallback() which logs a warning and skips the secondary header when the SA token source fails, instead of returning an error. GoogleDefaultCredentials now always attempts to create an SA token source regardless of config type, falling back gracefully on failure. GoogleCredentials also uses the fallback visitor. Co-authored-by: Isaac
hectorcast-db
force-pushed
the
hectorcast-db/stack/port/gcp-sa-from-metadata
branch
from
e75b8e4 to
7ec6f59
Compare
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
…llback into one function
Port of Python SDK PR #1317. Add support for the TEST_ENVIRONMENT_TYPE environment variable to control which integration tests run. Supported values: WORKSPACE, UC_WORKSPACE, ACCOUNT, UC_ACCOUNT. Falls back to the existing DATABRICKS_ACCOUNT_ID-based logic when not set. Co-authored-by: Isaac
Port of Python SDK PR #1332. Verifies that EnsureResolved with Experimental_IsUnifiedHost populates account_id and workspace_id from the host metadata endpoint on workspace environments. Co-authored-by: Isaac
Port of Python SDK PR #1331. HostType() no longer returns UnifiedHost; host type is determined solely by URL pattern. EnsureResolved() now always resolves host metadata when a host is configured (not gated behind Experimental_IsUnifiedHost). IsAccountClient() no longer panics on unified hosts. ConfigType() returns WorkspaceConfig for account hosts with WorkspaceID. buildHostCommand() no longer has a UnifiedHost case. getOidcEndpoints() and getOAuthArgument() remove UnifiedHost cases, relying on DiscoveryURL from metadata. The Experimental_IsUnifiedHost field and UnifiedHost const remain in the codebase for backward compatibility but are no longer checked. Note: codegen templates in service/ files still check for UnifiedHost and need to be updated in the codegen repo to use cfg.WorkspaceID directly. Co-authored-by: Isaac
Port of Python SDK PR #1322. Add requiresGcpSaAccessToken() which checks host metadata to determine if a GCP SA access token is needed. For workspace hosts (metadata has workspace_id), the SA token is skipped. For account hosts or when metadata is unavailable, falls back to checking AccountID. GoogleDefaultCredentials and GoogleCredentials now use this metadata-based decision instead of always attempting SA token creation. Co-authored-by: Isaac
hectorcast-db
force-pushed
the
hectorcast-db/stack/port/gcp-sa-from-metadata
branch
from
7ec6f59 to
ecb1dbe
Compare
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
hectorcast-db
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
|
If integration tests don't run automatically, an authorized user can run them manually by following the instructions below: Trigger: Inputs:
Checks will be approved automatically on success. |
github-merge-queue bot
pushed a commit
that referenced
this pull request
Mar 16, 2026
## 🥞 Stacked PR Use this [link](https://github.com/databricks/databricks-sdk-go/pull/1542/files) to review incremental changes. - [**stack/port/resolve-host-metadata-on-init**](#1542) [[Files changed](https://github.com/databricks/databricks-sdk-go/pull/1542/files)] - [stack/port/resolve-token-audience-from-metadata](#1543) [[Files changed](https://github.com/databricks/databricks-sdk-go/pull/1543/files/20b6cd4abc1a3284d586c88f802c4b7df2678062..9893d9cbbfe8baab7f7aeacb8ce7faf49026c86a)] - [stack/port/gcp-sa-token-non-blocking](#1544) [[Files changed](https://github.com/databricks/databricks-sdk-go/pull/1544/files/9893d9cbbfe8baab7f7aeacb8ce7faf49026c86a..07e28b7aef05ada2f357f87faa749c6990be8173)] - [stack/port/test-environment-type](#1545) [[Files changed](https://github.com/databricks/databricks-sdk-go/pull/1545/files/07e28b7aef05ada2f357f87faa749c6990be8173..0da1b0d546ab8842dffbd50aa55fb136bbeffddf)] - [stack/port/host-metadata-integration-test](#1546) [[Files changed](https://github.com/databricks/databricks-sdk-go/pull/1546/files/0da1b0d546ab8842dffbd50aa55fb136bbeffddf..e9854aad19dc522ffe8def175bef3a3eabface2b)] - [stack/port/remove-unified-flag](#1547) [[Files changed](https://github.com/databricks/databricks-sdk-go/pull/1547/files/e9854aad19dc522ffe8def175bef3a3eabface2b..fae626deb92c4671a0c8aa0f1e3e6bad1f8c5cc6)] - [stack/port/gcp-sa-from-metadata](#1548) [[Files changed](https://github.com/databricks/databricks-sdk-go/pull/1548/files/fae626deb92c4671a0c8aa0f1e3e6bad1f8c5cc6..ecb1dbeed4ed1990a74895c6ced958c05f16ffef)] --------- ## Summary - Port of Python SDK PR databricks/databricks-sdk-py#1318 and discovery URL fix from PR databricks/databricks-sdk-py#1332 - Extract `applyHostMetadata()` from `resolveHostMetadata()` for reuse during config init - Call host metadata resolution during `EnsureResolved()` for unified hosts (gated behind `Experimental_IsUnifiedHost`), with non-fatal error handling (warns on failure) - OIDC endpoint from metadata is now treated as the OIDC root, with `/.well-known/oauth-authorization-server` appended to form the full discovery URL ## Test plan - `TestEnsureResolved_ResolvesHostMetadata_WhenUnifiedHost` — verifies fields populated from metadata - `TestEnsureResolved_HostMetadataFailure_NonFatal` — 500 response, config still resolves - `TestEnsureResolved_HostMetadata_NoOidcEndpoint_NonFatal` — missing oidc_endpoint, no error - `TestEnsureResolved_HostMetadata_MissingAccountIdWithPlaceholder_Warns` — template needs account_id but missing - Existing `resolveHostMetadata` tests updated for new discovery URL format NO_CHANGELOG=true This pull request was AI-assisted by Isaac.
github-merge-queue bot
pushed a commit
that referenced
this pull request
Mar 17, 2026
## 🥞 Stacked PR Use this [link](https://github.com/databricks/databricks-sdk-go/pull/1543/files) to review incremental changes. - [**stack/port/resolve-token-audience-from-metadata**](#1543) [[Files changed](https://github.com/databricks/databricks-sdk-go/pull/1543/files)] - [stack/port/gcp-sa-token-non-blocking](#1544) [[Files changed](https://github.com/databricks/databricks-sdk-go/pull/1544/files/01d8ab7988cf049ece2bf295acc9218f6dd82e07..ab7e3d841888a136a21a2c95549392f137d6b523)] - [stack/port/test-environment-type](#1545) [[Files changed](https://github.com/databricks/databricks-sdk-go/pull/1545/files/ab7e3d841888a136a21a2c95549392f137d6b523..0e20fea87196f5b177313bfb6c3ef5c8ec678bf0)] - [stack/port/host-metadata-integration-test](#1546) [[Files changed](https://github.com/databricks/databricks-sdk-go/pull/1546/files/0e20fea87196f5b177313bfb6c3ef5c8ec678bf0..f9d041dbd73e531215a30dab6b0441d192f4bfb5)] - [stack/port/remove-unified-flag](#1547) [[Files changed](https://github.com/databricks/databricks-sdk-go/pull/1547/files/f9d041dbd73e531215a30dab6b0441d192f4bfb5..086adf0511ffbff5cc9edb9dc5159b5dad9b7299)] - [stack/port/gcp-sa-from-metadata](#1548) [[Files changed](https://github.com/databricks/databricks-sdk-go/pull/1548/files/086adf0511ffbff5cc9edb9dc5159b5dad9b7299..c8a54deafc36e70c86f869231f8b5d09b044f28f)] --------- ## Summary - Port of Python SDK PR databricks/databricks-sdk-py#1321 - When host metadata indicates an account host (no workspace_id) and account_id is present, automatically set `TokenAudience` to the account_id if not already configured ## Test plan - `TestApplyHostMetadata_SetsTokenAudienceForAccountHost` — no workspace_id, has account_id → set - `TestApplyHostMetadata_NoTokenAudienceForWorkspaceHost` — has workspace_id → not set - `TestApplyHostMetadata_DoesNotOverrideExistingTokenAudience` — pre-set value preserved NO_CHANGELOG=true This pull request was AI-assisted by Isaac.
github-merge-queue bot
pushed a commit
that referenced
this pull request
Mar 17, 2026
## 🥞 Stacked PR Use this [link](https://github.com/databricks/databricks-sdk-go/pull/1544/files) to review incremental changes. - [**stack/port/gcp-sa-token-non-blocking**](#1544) [[Files changed](https://github.com/databricks/databricks-sdk-go/pull/1544/files)] - [stack/port/test-environment-type](#1545) [[Files changed](https://github.com/databricks/databricks-sdk-go/pull/1545/files/bd038478c97820339e8964bfd74457dabfa945ad..2be31bf5c15ab0d33857e90e8504425f34489d63)] - [stack/port/host-metadata-integration-test](#1546) [[Files changed](https://github.com/databricks/databricks-sdk-go/pull/1546/files/2be31bf5c15ab0d33857e90e8504425f34489d63..b950d35820b3aefac7f9f3d12c837ddf5836ed80)] - [stack/port/remove-unified-flag](#1547) [[Files changed](https://github.com/databricks/databricks-sdk-go/pull/1547/files/b950d35820b3aefac7f9f3d12c837ddf5836ed80..221415789356aa846dfb0f346d690b67bd5c2aa4)] - [stack/port/gcp-sa-from-metadata](#1548) [[Files changed](https://github.com/databricks/databricks-sdk-go/pull/1548/files/221415789356aa846dfb0f346d690b67bd5c2aa4..8130b1f2566f65af5c40439ba1063b7f5f477835)] --------- ## Summary - Port of Python SDK PR databricks/databricks-sdk-py#1330 - Add `serviceToServiceVisitorWithFallback()` that logs a warning and skips the secondary header when the SA token source fails, instead of returning an error - `GoogleDefaultCredentials` now always attempts to create an SA token source regardless of config type, falling back gracefully on failure - `GoogleCredentials` also uses the fallback visitor ## Test plan - `TestServiceToServiceVisitorWithFallback_BothSucceed` - `TestServiceToServiceVisitorWithFallback_SecondaryFails_SkipsHeader` - `TestServiceToServiceVisitorWithFallback_PrimaryFails_ReturnsError` NO_CHANGELOG=true This pull request was AI-assisted by Isaac.
github-merge-queue bot
pushed a commit
that referenced
this pull request
Mar 18, 2026
## 🥞 Stacked PR Use this [link](https://github.com/databricks/databricks-sdk-go/pull/1545/files) to review incremental changes. - [**stack/port/test-environment-type**](#1545) [[Files changed](https://github.com/databricks/databricks-sdk-go/pull/1545/files)] - [stack/port/host-metadata-integration-test](#1546) [[Files changed](https://github.com/databricks/databricks-sdk-go/pull/1546/files/c5bb35f157c24cbeb92396330626119a72cb2de7..996e3f148d614483fbd3302e8c5a75fbf2c32afc)] - [stack/port/remove-unified-flag](#1547) [[Files changed](https://github.com/databricks/databricks-sdk-go/pull/1547/files/996e3f148d614483fbd3302e8c5a75fbf2c32afc..5bfb6b121ee68f765a5ed4cb194f58372c9d7bf5)] - [stack/port/gcp-sa-from-metadata](#1548) [[Files changed](https://github.com/databricks/databricks-sdk-go/pull/1548/files/5bfb6b121ee68f765a5ed4cb194f58372c9d7bf5..6bfe5a46df8e98136ae1fa675158f5babc50ede4)] --------- ## Summary - Port of Python SDK PR databricks/databricks-sdk-py#1317 - Add `TEST_ENVIRONMENT_TYPE` environment variable support for integration test filtering - Supported values: `WORKSPACE`, `UC_WORKSPACE`, `ACCOUNT`, `UC_ACCOUNT` - Falls back to existing `DATABRICKS_ACCOUNT_ID`-based logic when not set ## Test plan - Integration test preludes updated; backward compatible with existing CI NO_CHANGELOG=true This pull request was AI-assisted by Isaac.
github-merge-queue bot
pushed a commit
that referenced
this pull request
Mar 18, 2026
## 🥞 Stacked PR Use this [link](https://github.com/databricks/databricks-sdk-go/pull/1546/files) to review incremental changes. - [**stack/port/host-metadata-integration-test**](#1546) [[Files changed](https://github.com/databricks/databricks-sdk-go/pull/1546/files)] - [stack/port/remove-unified-flag](#1547) [[Files changed](https://github.com/databricks/databricks-sdk-go/pull/1547/files/e715791f64e4510f1646cdfe8987b940d68e16a7..51c58114402bcbff9ec1038f50134dc052c89020)] - [stack/port/gcp-sa-from-metadata](#1548) [[Files changed](https://github.com/databricks/databricks-sdk-go/pull/1548/files/51c58114402bcbff9ec1038f50134dc052c89020..9fc7a606d80f252123f07bed759c3dbb4e5fd864)] --------- ## Summary - Port of Python SDK PR databricks/databricks-sdk-py#1332 (integration test only) - Add integration test verifying that `EnsureResolved` populates `account_id` and `workspace_id` from the host metadata endpoint on workspace environments ## Test plan - `TestHostMetadataResolution` — requires workspace cloud env with `CLOUD_ENV` set NO_CHANGELOG=true This pull request was AI-assisted by Isaac.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🥞 Stacked PR
Use this link to review incremental changes.
Summary
requiresGcpSaAccessToken()that uses host metadata to determine if a GCP SA access token is neededworkspace_id) skip SA token entirelyAccountIDGoogleDefaultCredentialsandGoogleCredentialsuse this metadata-based decisionTest plan
TestRequiresGcpSaAccessToken_WorkspaceFromMetadata— workspace host, no SA token neededTestRequiresGcpSaAccessToken_AccountFromMetadata— account host, SA token neededTestRequiresGcpSaAccessToken_MetadataError_FallsBackToAccountID— error with account_idTestRequiresGcpSaAccessToken_MetadataError_NoAccountID— error without account_idTestRequiresGcpSaAccessToken_NoHost_WithAccountID/_NoAccountID— no-host fallbackNO_CHANGELOG=true
This pull request was AI-assisted by Isaac.