Databricks OIDC token federation for AWS IAM#69509
Conversation
|
Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contributors' Guide
|
86ab9b5 to
dae8e8c
Compare
dae8e8c to
826edcc
Compare
|
I refactored this PR against #69272 - given that the connection already supports other cloud based identity schemes I extended it to support AWS STS as well. However, if it's preferred based on the above PR's supplied OIDC callable changes that other Databricks supported OIDC sources remain user custom I am also happy to close this PR. |
826edcc to
0de5aa1
Compare
That is a question for Databricks experts cc @moomindani |
moomindani
left a comment
There was a problem hiding this comment.
Reviewed this PR, including checking out the branch and verifying it locally. Sharing my take as an individual working with these hooks — this is my personal technical opinion, not an official position.
On the built-in vs. user-custom question: I think built-in is the right call, and this PR is worth moving forward.
Some history that I believe settles most of the question:
- When the Kubernetes federation path (#61458) was being developed, its author explicitly announced the roadmap in #54291: Kubernetes first, then AWS STS outbound federation next. This PR is that announced next step, not scope creep — and merging it would also answer the still-open question in #54291 about what remains after #61458.
- The hook already ships three Azure-specific built-in auth paths (SPN, managed identity, default Azure credential) plus the Kubernetes one. Leaving AWS as the only major platform whose users must hand-roll a token callable would be asymmetric, and Airflow-on-AWS (MWAA, EC2, EKS) is one of the largest deployment bases for Databricks users.
- The optional cross-provider
amazonextra follows an established pattern — google, mysql, postgres, and teradata providers already declare the same optional dependency. The import is lazy with a cleanAirflowOptionalProviderFeatureException, so environments without the amazon provider are unaffected. - I don't read #69272 as a mandate that cloud-specific sources stay user-custom. Its callable is the escape hatch for issuers Airflow does not model; a tested, documented first-class path for the most common platform complements it rather than competing with it. Asking every AWS deployment to write and maintain its own boto3 callable would be strictly worse UX for the same result.
A few checks I did beyond what CI covers (the unit tests mock StsHook, so CI never exercises the real API contract):
- The
GetWebIdentityTokencall matches the current botocore service model exactly (Audiencelist andSigningAlgorithmrequired,WebIdentityTokenin the output), and the chosen defaults — audience"databricks",RS256, 300 seconds — match the reference implementation in the Databricks AWS IAM federation guide parameter for parameter, including the documented IAM policy conditions (sts:IdentityTokenAudience=databricks, duration <= 300s). apache-airflow-providers-amazon>=9.22.0is precisely the first release that shipsboto3>=1.41.0, so both the pin and the fallback error message for older SDKs are accurate.- On the Databricks side, the token-exchange path (
/oidc/v1/token, RFC 8693,client_idswitching between service-principal and account-wide federation policies) is the same code already validated end-to-end against a real workspace in #69272 — this PR only swaps in a different subject-token source, and the author's documented integration test covers the full AWS flow.
Two small non-blocking nits as inline comments. LGTM once the docstring is touched up.
Drafted-by: Claude Code (Fable 5); reviewed by @moomindani before posting
0de5aa1 to
0f5c29f
Compare
|
Awesome work, congrats on your first merged pull request! You are invited to check our Issue Tracker for additional contributions. |
Extends the Databricks provider hook with OIDC token federation for Airflow running with AWS credentials, parallel to the existing Kubernetes path (#61458). The hook mints an AWS-signed OIDC JWT via AWS STS
GetWebIdentityTokenand exchanges it for a Databricks service-principal token using the same RFC 8693 exchange asfederated_k8s— only the JWT source differs. Like the Kubernetes path it stores no secrets in the connection; identity comes from the caller's assumed IAM role. Setlogin=federated_awsand provideclient_idandaws_conn_idin the connection extra. See the Databricks AWS IAM workload identity federation guide.Integration testing
Verified end-to-end against a real workspace with this connection (no secrets stored) and DAG:
{ "conn_type": "databricks", "host": "<workspace>.cloud.databricks.com", "login": "federated_aws", "extra": { "client_id": "<databricks-sp-client-id>", "aws_conn_id": "<aws_conn_id>" } }Requires outbound web identity federation enabled on the AWS account, the role granted
sts:GetWebIdentityToken, and a Databricks service-principal federation policy whosesubjectis the role ARN andaudiencesis["databricks"].Was generative AI tooling used to co-author this PR?
Generated-by: Claude Code (Opus 4.8) following the guidelines
{pr_number}.significant.rst, in airflow-core/newsfragments. You can add this file in a follow-up commit after the PR is created so you know the PR number.Important
🛠️ Maintainer triage note for @allenc97 · by
@potiuk· 2026-07-15 16:00 UTCSome review feedback from
@eladkalis waiting on you (see our Pull Request quality criteria):The ball is in your court — you've been assigned to this PR. Reply or push a fix in each thread, then mark them resolved.
Automated triage — may be imperfect; a maintainer takes the next look.