Skip to content

feat(go/adbc/databricks): add azure-client-secret (Entra ID service principal) auth#143

Open
r-jais wants to merge 2 commits into
mainfrom
feat/databricks-azure-client-secret-auth
Open

feat(go/adbc/databricks): add azure-client-secret (Entra ID service principal) auth#143
r-jais wants to merge 2 commits into
mainfrom
feat/databricks-azure-client-secret-auth

Conversation

@r-jais

@r-jais r-jais commented Jul 6, 2026

Copy link
Copy Markdown

What

Adds Azure/Microsoft Entra ID service-principal authentication to the Databricks driver: a new azure-client-secret auth_type and databricks.azure.client_id / databricks.azure.client_secret / databricks.azure.tenant_id options.

How

The new auth case builds a databricks-sdk-go Config with AzureClientSecretCredentials{} and passes it to dbsql.WithAuthenticator. *config.Config satisfies databricks-sql-go's auth.Authenticator, so the SDK attaches the AAD bearer token (Authorization) and the X-Databricks-Azure-SP-Management-Token header on every request — mirroring dbt-databricks/databricks-sdk-py. azure_tenant_id is optional and discovered from the workspace's /aad/auth redirect when absent. databricks-sdk-go is promoted to a direct dependency.

Compatibility

Additive: pat / oauth-m2m / external-browser dispatch is unchanged; IsAzure() gates the new path to Azure workspaces. No changes to the databricks-sql-go fork.

Tests

New azure_auth_test.go (option wiring, missing-field errors, tenant parsing across Azure clouds). Existing driver tests pass (the pre-existing TestIPCReaderAdapter panic is unrelated — fails on clean main).

For dbt-core#13986.

Add Azure service-principal (Microsoft Entra ID) authentication to the
Databricks driver via a new "azure-client-secret" auth_type and
databricks.azure.client_id / client_secret / tenant_id options.

The new auth case builds a databricks-sdk-go Config with
AzureClientSecretCredentials and passes it to dbsql.WithAuthenticator;
*config.Config satisfies databricks-sql-go's auth.Authenticator, so the SDK
attaches both the AAD bearer token and the X-Databricks-Azure-SP-Management-Token
header. azure_tenant_id is optional and discovered from the workspace's
/aad/auth redirect when absent. databricks-sdk-go promoted to a direct
dependency.

Additive: pat / oauth-m2m / external-browser paths are unchanged. For
dbt-core#13986.
Comment thread go/adbc/driver/databricks/database.go Outdated

// newAzureClientSecretAuthenticator builds a databricks-sdk-go Config configured
// for Azure service-principal (Microsoft Entra ID) authentication. *config.Config
// implements databricks-sql-go's auth.Authenticator via its Authenticate method, so

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a lot of this is boilerplate we can remove. keep the super specific domain lore though

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Trimmed!

Comment thread go/adbc/driver/databricks/database.go Outdated

// discoverAzureTenantID resolves the Microsoft Entra ID tenant for an Azure
// Databricks workspace from the unauthenticated <host>/aad/auth redirect, mirroring
// databricks-sdk's tenant discovery. Only used when azure_tenant_id is not supplied.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should this logic actually be arrow adbc? What's the rationale?

I don't love the idea of making adhoc runtime asks for connection either. Might not be able to be helped though I suppose.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removed the discovery from the driver here. Tenant resolution (explicit or /aad/auth discovery) now lives upstream in fs dbt-auth

Comment thread go/adbc/driver/databricks/database.go Outdated
Comment thread go/adbc/driver/databricks/database.go Outdated
return "", err
}
defer resp.Body.Close()
if resp.StatusCode/100 != 3 {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this safe (I'm bad at Go and don't have all the coercion rules in my brain)

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was, but obsolete now

AzureClientID: d.azureClientID,
AzureClientSecret: d.azureClientSecret,
AzureTenantID: tenantID,
Credentials: sdkconfig.AzureClientSecretCredentials{},

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does this work / fail for different users who have special overrides? Any live infra testing here so we can know how this performs?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Posted on channel for DBX Azure SP credentials (could only find PAT ones in vault that I have access to)

@r-jais
r-jais force-pushed the feat/databricks-azure-client-secret-auth branch from 4f10400 to fb5423e Compare July 8, 2026 10:14
}
}

cfg := &sdkconfig.Config{

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice!

There's quite a few additional fields, can we permalink these docs?
https://github.com/databricks/databricks-sdk-go/blob/main/README.md#azure-native-authentication

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants